From: hescominsoon at emmanuelcomputerconsulting.com (William Warren)
Subject: Backdoor not recognized by Kaspersky

a better solution is to have .zip whoeslae killed at hte firewall/a-v 
gateway like i have setup here..then these pasword protected zip files 
are not a concern..:)

Larry Seltzer wrote:

>>>Attached backdoor not recognized by Kaspersky or Norton 2004?
> 
> 
> It's Bagle/Beagle.J. The problem is that the file is password-protected, so it's not
> obvious how a scanner will get it until it's opened. Notice that the e-mail includes the
> password ("65316"). In fact Norton finds it when the ZIP is opened and the extracted
> file hits the file system. 
> 
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> larryseltzer@...fdavis.com 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Kristian Hermansen
> Sent: Tuesday, March 02, 2004 5:34 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Backdoor not recognized by Kaspersky
> 
> 
> Attached backdoor not recognized by Kaspersky or Norton 2004?  I received this file
> recently, but Kaspersky did not detect malicious code.  Wondering if any of you guys
> know about it or have analyzed it before?  It is definitely NOT a text document.  I
> opened it up with WinHex and see the file "yfivyjmg.exe" in there towards the beginning.
> Looks to be a packed exe within, and first few bytes are:
> 
> 504B03040A0001000000C07E62309FE242510C300000003000000C00000079666976796A6D67
> 2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE712E68000E55E
> E8A39241
> 
> Last few bytes are:
> 
> E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EAE0D2BA2A6EF
> 88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309FE242510C30
> 0000003000000C000000000000000100200000000000000079666976796A6D672E657865504B
> 050600000000010001003A000000363000000000
> 
> I am reluctant to open the zip right now, as I fear it may be exploiting an overflow to
> run the EXE file within.  I may try to open it on a virtual machine later, but if you
> guys do know anything about this one please let me know.  It's nice and small too (12
> KB)!  Wonder if the guy wrote it himself. Of course, the IP address is spoofed to a
> University of Chicago machine.  Is it even possible to trace back?  I still have the
> full headers, but they looked nicely stripped to the gills.  I have been receiving
> elevated attacks via email over the last few days, so maybe it is some guy on this list
> trying to get me ;-)  One previous email stated that it was the FBI and to call a number
> listed in the email.  This was most likely an attempt to get the number I was calling
> from.  This guy thinks he's smooth...
> 
> 
> Kristian Hermansen
> khermansen@...technology.com
> 
> -----Original Message-----
> From: management@...otoys.com [mailto:management@...ankedout}.com] 
> Sent: Tuesday, March 02, 2004 5:03 PM
> To: webmaster@...ankedout}.com
> Subject: E-mail account security warning.
> 
> Dear user of  {blankedout}.com  gateway e-mail server,
> 
> Your  e-mail account has been temporary disabled because of unauthorized access.
> 
> For details see the attached file.
> 
> For security  purposes  the  attached file  is password protected.  Password is "65316".
> 
> Best  wishes,
>     The {blankedout}.com  team                               http://www.
> {blankedout}..com
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

-- 
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

Powered by blists - more mailing lists