lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 29 Jan 2004 23:00:20 +0100 (MET)
Subject: Re: new WIN virus?

Seems that the webpage uses several known (unfixed) exploits in IE, i.e. it
spoofes the URL in the adress-bar and overwrites Mediaplayer with an
executable (updatte.exe). I took a quick look at the executable. It seems to be some
sort of 900#-dialer. I couldn't find out a lot since all my disassembly tools
don't like the stuff that my unpacker produced (the executable uses an
exe-packer called FSG), but from the API that's imported (some RAS stuff) my best
guess right now is that it is yet-another-dialer. Strings in the unpacked
executable seem to be encrypted for the most part. If this spam was meant to be
for the German "market", the spamers forgot to register their dialer with the
RegTP/government, so no lead there...


The early bird gets the worm. If you want
something else for breakfast, get up later.

+++ GMX - die erste Adresse für Mail, Message, More +++
Bis 31.1.: TopMail + Digicam für nur 29 EUR

Powered by blists - more mailing lists