lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lorenzohgh at (Lorenzo Hernandez Garcia-Hierro)
Subject: New virus

Look this line:
GET /events.php?%s HTTP/1.1
Accept: */*
Connection: Keep-Alive
so imagine this:
id=[autonumeric ]&ip=[internet address by gestaddrbyhost]&speed=[connection

this logs the information about an infected host.
look more:
/* Written By Adrey Karimov [] */
This can be a bogus data but , that boy is from an antivirus related company
! :) ( who are the virii authors now ? )

%s SC:%s
%s SW:%i.%i.%i.%i
%s PW:%i.%i.%i.%i
%s SD:%i.%i.%i.%i
%s PD:%i.%i.%i.%i
%s IP:%i.%i.%i.%i
%s%s:%s:%s [%s]

Thsi calls the api of microsoft ras and insert the data into  a new
telefonic connection.

This functions are called , so the virus uses the memeroy stack:
strchr <-*
strncpy <- *
strstr < - *

And it creates a file with the first data :


It keeps there the data found at SOFTWARE\Microsoft\Internet Account

Other things that the virus do:
Creates a regkey to run it at startup and it copies to some locations.

stores this data ??? :

I thin k some info is hardcoded .
The presence of sysdeb32.exe and tmp.exe indicates virus activity.

i don't know which virus is this.

Best regards ,
0x00->Lorenzo Hernandez Garcia-Hierro
0x02->The truth is out there,
0x03-> outside your mind .
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
----- Original Message ----- 
From: "Andrew Thomas" <>
To: "'Full Disclosure'" <>
Sent: Tuesday, November 25, 2003 9:02 AM
Subject: [Full-Disclosure] New virus

> Hi,
> Just to confirm receipt of another email containing the following
> text:
> --snip--
> Hello my dear Mary,
> I have been thinking about you all night. I would like to apologize
> for the other night when we made beautiful love and did not use
> condoms. I know this was a mistake and I beg you to forgive me.
> I miss you more than anything, please call me Mary, I need you. Do
> you remember when we were having wild sex in my house? I remember
> it all like it was only yesterday. You said that the pictures
> would not come out good, but you were very wrong, they are great.
> I didn't want to show you the pictures at first, but now I think
> it's time for you to see them. Please look in the attachment and
> you will see what I mean.
> I love you with all my heart, James.
> --snip--
> With attached
> A quick strings (after unpacking) on the file gives
> The original archive is available @
> I don't have the time to take this apart, but some interesting things
> include a call to function "UrlDownloadToFileA", and a bunch of other
> HTTP-style requests.
> Also looks like it may do some kind of speed test and post results
> as well remotely, including IP address of the infected host, as well
> as pulling stuff out like RAS info, pop3 info, etc.
> The host that appears to be called is "", with a
> call made to the page "showinfo.php", which returns only
> --snip--
> Error 0x7a2e: Invalid query, database search failed.
> --snip--
> without anything appended.
> There's quite a bit more in here.
>   A.
> -- 
> Andrew G. Thomas
> Hobbs & Associates Chartered Accountants (SA)
> (o) +27-(0)21-683-0500
> (f) +27-(0)21-683-0577
> (m) +27-(0)83-318-4070
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Powered by blists - more mailing lists