lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4449E528.8070806@securescience.net>
Date: Sat, 22 Apr 2006 01:11:20 -0700
From: Lance James <bugtraq@...urescience.net>
To: phishing@...urityfocus.com, binaryanalysis@...urityfocus.com,
	bugtraq@...urityfocus.com
Subject: PowerPoint Phishing Trojan


Hi all,

Just an FYI, there is a neat little PowerPoint Trojan that we received
from a helpful source yesterday. It appears to be exploiting this vuln:

http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

I extracted the PE file(s) out of the ppt and got only 3 recognizing the
file as malicious:

I have the binary to available AV vendors by request.

I found the blind drop and have recovered all the stolen files.

Thanks.

Antivirus 	Version 	Update 	Result
AntiVir 	6.34.0.24 	04.20.2006 	no virus found
Avast 	4.6.695.0 	04.21.2006 	no virus found
AVG 	386 	04.21.2006 	no virus found
Avira 	6.34.0.56 	04.21.2006 	no virus found
BitDefender 	7.2 	04.22.2006 	Trojan.PPT.A
CAT-QuickHeal 	8.00 	04.21.2006 	no virus found
ClamAV 	devel-20060202 	04.22.2006 	no virus found
DrWeb 	4.33 	04.21.2006 	BACKDOOR.Trojan
eTrust-InoculateIT 	23.71.136 	04.22.2006 	no virus found
eTrust-Vet 	12.4.2171 	04.21.2006 	no virus found
Ewido 	3.5 	04.21.2006 	no virus found
Fortinet 	2.71.0.0 	04.22.2006 	suspicious
F-Prot 	3.16c 	04.21.2006 	no virus found
Ikarus 	0.2.59.0 	04.21.2006 	no virus found
Kaspersky 	4.0.2.24 	04.22.2006 	no virus found
McAfee 	4746 	04.21.2006 	no virus found
NOD32v2 	1.1501 	04.21.2006 	probably unknown NewHeur_PE virus
Norman 	5.90.16 	04.21.2006 	W32/Malware
Panda 	9.0.0.4 	04.21.2006 	Suspicious file
Sophos 	4.04.0 	04.21.2006 	no virus found
Symantec 	8.0 	04.22.2006 	no virus found
TheHacker 	5.9.7.132 	04.21.2006 	no virus found
UNA 	1.83 	04.21.2006 	no virus found
VBA32 	3.10.5 	04.19.2006 	no virus found

Aditional Information
File size: 144514 bytes
MD5: d8ec5f57861104fba4ee2e3f12cfa5a8
SHA1: 94d2202fb50df5a8e00f5da50b8e0783ec144465
Norman SandBox:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@...MAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Decompressing ASPack.
* File length: 144514 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32wbemwmiadapt.exe.
* Creates file C:WINDOWSSYSTEM32systhin.dll.

[ Process/window information ]
* Modifies other process memory.
* Creates a remote thread.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ