| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <026d01c3d6ea$b6df88a0$1214dd80@corp.emc.com> From: exibar at thelair.com (Exibar) Subject: Virus / Trojan LOL, your AV scanner on your Exchange server detected it (or extension blocked it), here's what came through for your attachment: 01/09/2004 03:47 PM The original attachment contains a virus or meets the File-Blocking rules. ScanMail took action: winxp_sp1.zip/Moved, please see your Exchange Server administrator for details! All the AV vendors should have DATS/Defs for it by now. Symantec and NAI both do at least: That's the new Xombe (downloader-GJ by NAI) http://securityresponse.symantec.com/avcenter/venc/data/trojan.xombe.html http://vil.nai.com/vil/content/v_100945.htm Exibar ----- Original Message ----- From: "Otero, Hernan (EDS)" <HOtero@...chile.cl> To: <full-disclosure@...ts.netsys.com> Sent: Friday, January 09, 2004 2:47 PM Subject: [Full-Disclosure] Virus / Trojan Today found this suspicious file attached to an email, obviously is a virus (our AV don?t detect it :-( ). The virus/trojan is very simple, the developer only put effort in obfuscate the strings inside the binary. The executable file try to connect to gamemaniacs.org and download a file. This file will be located in the system directory The url used in the GET is: gamemaniacs.org /download/get.php?dist=2 This will download the binary saved as msvchost.exe any one know what virus/trojan is this? -H <<VIRUS1_DETECTED_AND_REMOVED_winxp_sp1_VIRINFO.TXT>>
Powered by blists - more mailing lists