lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 9 02:50:51 2005 From: arjunior at attps.com.br (Armando Rogerio Brandão Guimaraes Junior) Subject: What is this This link came through MSN chat. The IM worm inserted this link in chat. Armando Guimar?es Jr -----Original Message----- From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Ron Sent: segunda-feira, 08 de agosto de 2005 16:06 To: michael.ligh@...n.org Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] What is this I've seen something very similar spreading as an IM worm. There's a pretty good chance he got it from AIM or MSN. Of course, it could also be a classic email worm, who knows? Michael Hale wrote: > Anti virus doesn't detect it because its packed with ASProtect 1.2.x > (using StudPE). You can see the difference when it's dumped out of RAM > into it's uncompressed/decrypted form (see VirusTotal results below). > My interest is where you came across this URL. Can you provide that > information? > > Scan results > File: DUMPED.php > Date: 08/08/2005 20:39:56 (CET) > ---- > AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] > Avast 4.6.695.0/20050808 found nothing > AVG 718/20050807 found nothing > Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] > BitDefender 7.0/20050808 found nothing > CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan] > ClamAV devel-20050725/20050808 found [Trojan.Mybot-312] > DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118] > eTrust-Iris 7.1.194.0/20050806 found nothing > eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot] > Fortinet 2.36.0.0/20050808 found [suspicious] > F-Prot 3.16c/20050808 found nothing > Ikarus 0.2.59.0/20050808 found nothing > Kaspersky 4.0.2.24/20050808 found nothing > McAfee 4552/20050808 found [New Malware.b] > NOD32v2 1.1187/20050805 found [BAT/NoShare.L] > Norman 5.70.10/20050805 found nothing > Panda 8.02.00/20050808 found nothing > Sophos 3.96.0/20050808 found nothing > Sybari 7.5.1314/20050808 found [Win32.Slinbot] > Symantec 8.0/20050808 found [W32.Randex] > TheHacker 5.8.2.082/20050808 found nothing > VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2] > > On 8/8/05, trains@...torunix.com <trains@...torunix.com> wrote: > >>Quoting Armando Rogerio Brand?o Guimaraes Junior <arjunior@...ps.com.br>: >> >> >>>Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php >>>AntiVirus and SpyBot doesn?t detect!!! >>> >>>Armando Guimar?es Jr >> >>It is an MS-EXE executable program. Anti virus doesn't find it because >>it is not an virus. Spybot for the same reason. To block these you >>need an smtp policy that does not allow executable attachments to >>incoming emails. >> >>"What it does" could be anything from typing "hello world" in a dialog >>box (unlikely) to creating a new Administrator account on your >>corporate AD server and posting the entire contents thereof to an IRC >>channel (somewhat more likely). But at first glance it looks like it >>is going to open a backdoor shell on the recipient's PC. >> >>tc >> >> >> >>---------------------------------------------------------------- >>This message was sent using IMP, the Internet Messaging Program. >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists