lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <000901c38c7c$fd134e00$4802a8c0@Security>
From: joel at helgeson.com (Joel R. Helgeson)
Subject: Email Harvesting virus?

I came across an intersting event today. I haven't been able to research it as much as I'd like, but I'd like to toss it out to the community just the same.

A customers machine appears to be infected with some type of malware that apparently harvests email addresses and puts them into a file named '~'.  Just the tilde ~, no extention.  This file is created under the C:\Documents and Settings\%username%\~.  I have attached a zipped copy of the file for refrence.

I came across the file earlier today, renamed it and copied it off to a keychain USB drive for later analysis. Well, the file re-created itself and the malware creating it is not immediately apparent.  I've scanned all the running apps but I haven't had much time to investigate.

Any ideas?


Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031006/9c7cd436/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ~.zip
Type: application/x-zip-compressed
Size: 16312 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031006/9c7cd436/.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ