lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1889107484.20040127005856@Sniff-em.com>
From: Thierry at Sniff-em.com (Thierry)
Subject: massive outbreak - expect a major network slowdown

Hello Gadi,

GE> Whichever the case this outbreak is HUGE.
GE> Largest in a while and it is spreading VERY FAST.

I can only confirm, it currently slips through my ISP Virus mail
gateway, I have a few files here some in uncompressed state if anybody is
interested and hasn't had the chance to have one of those (should be
rare though). I am not aware whether it selfmodifies or not, here
are the strings I extracted from the uncompressed PIF file.

Tool: BinText

File pos   Mem pos      ID   Text
========   =======      ==   ====

0000269C   004A269C      0   iphlpapi.dll
000026AC   004A26AC      0   DnsQuery_A
000026B8   004A26B8      0   dnsapi.dll
000026C4   004A26C4      0   GetNetworkParams
000026D8   004A26D8      0   sandra
000026E0   004A26E0      0   linda
000026E8   004A26E8      0   julie
000026F0   004A26F0      0   jimmy
000026F8   004A26F8      0   jerry
00002700   004A2700      0   helen
00002708   004A2708      0   debby
00002710   004A2710      0   claudia
00002718   004A2718      0   brenda
00002728   004A2728      0   alice
00002730   004A2730      0   brent
00002764   004A2764      0   smith
0000276C   004A276C      0   steve
00002798   004A2798      0   robert
000027A0   004A27A0      0   peter
000027C0   004A27C0      0   brian
000027CC   004A27CC      0   maria
000027E0   004A27E0      0   andrew
000027EC   004A27EC      0   george
000027F4   004A27F4      0   david
000027FC   004A27FC      0   kevin
0000280C   004A280C      0   james
00002814   004A2814      0   michael
0000282C   004A282C      0   accoun
00002834   004A2834      0   certific
00002840   004A2840      0   listserv
0000284C   004A284C      0   ntivi
00002854   004A2854      0   support
0000285C   004A285C      0   icrosoft
00002868   004A2868      0   admin
00002878   004A2878      0   the.bat
00002880   004A2880      0   gold-certs
00002890   004A2890      0   feste
00002898   004A2898      0   submit
000028AC   004A28AC      0   service
000028B4   004A28B4      0   privacy
000028BC   004A28BC      0   somebody
000028D4   004A28D4      0   contact
000028E4   004A28E4      0   rating
00002904   004A2904      0   someone
0000290C   004A290C      0   anyone
00002914   004A2914      0   nothing
0000291C   004A291C      0   nobody
00002924   004A2924      0   noone
0000292C   004A292C      0   webmaster
00002938   004A2938      0   postmaster
00002944   004A2944      0   samples
0000295E   004A295E      0   be_loyal:
00002968   004A2968      0   mozilla
00002970   004A2970      0   utgers.ed
0000297C   004A297C      0   tanford.e
0000298C   004A298C      0   acketst
00002994   004A2994      0   secur
0000299C   004A299C      0   isc.o
000029A4   004A29A4      0   isi.e
000029AC   004A29AC      0   ripe.
000029B4   004A29B4      0   arin.
000029BC   004A29BC      0   sendmail
000029C8   004A29C8      0   rfc-ed
000029E0   004A29E0      0   usenet
000029F0   004A29F0      0   linux
000029F8   004A29F8      0   kernel
00002A00   004A2A00      0   google
00002A08   004A2A08      0   ibm.com
00002A1C   004A2A1C      0   mit.e
00002A38   004A2A38      0   berkeley
00002A68   004A2A68      0   ruslis
00002A70   004A2A70      0   nodomai
00002A78   004A2A78      0   mydomai
00002A80   004A2A80      0   example
00002A88   004A2A88      0   inpris
00002A90   004A2A90      0   borlan
00002A98   004A2A98      0   sopho
00002AA0   004A2AA0      0   panda
00002AA8   004A2AA8      0   hotmail
00002AB8   004A2AB8      0   icrosof
00002AD4   004A2AD4      0   -._!@
00002ADC   004A2ADC      0   abuse
00002E34   004A2E34      0   USERPROFILE
00002E40   004A2E40      0   Ybpny Frggvatf
0000345C   004A345C      0   %s.%s
00003480   004A3480      0   %s.zip
0000348C   004A348C      0   Mail transaction failed. Partial message is available.
000034C8   004A34C8      0   The message contains Unicode characters and has been sent as a binary attachment.
00003520   004A3520      0   The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
00003590   004A3590      0   ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
000035DE   004A35DE      0   K-ZFZnvy-Cevbevgl: Abezny

File pos   Mem pos      ID   Text
========   =======      ==   ====

000035FA   004A35FA      0   K-Cevbevgl: 3
00003608   004A3608      0      boundary="%s"
0000361A   004A361A      0   Pbagrag-Glcr: zhygvcneg/zvkrq;
0000363E   004A363E      0   ZVZR-Irefvba: 1.0
00003652   004A3652      0   Qngr: 
0000365E   004A365E      0   Fhowrpg: 
00003670   004A3670      0   Sebz: 
00003678   004A3678      0   ----=_%s_%.3u_%.4u_%.8X.%.8X
00003698   004A3698      0   NextPart
000036A8   004A36A8      0   --%s--
000036BE   004A36BE      0   Pbagrag-Glcr: nccyvpngvba/bpgrg-fgernz;
000036E7   004A36E7      0      anzr="%f"
000036F3   004A36F3      0   Pbagrag-Genafsre-Rapbqvat: onfr64
00003716   004A3716      0   Pbagrag-Qvfcbfvgvba: nggnpuzrag;
00003738   004A3738      0      svyranzr="%f"
0000375E   004A375E      0   Pbagrag-Glcr: grkg/cynva;
00003779   004A3779      0      punefrg="Jvaqbjf-1252"
00003792   004A3792      0   Pbagrag-Genafsre-Rapbqvat: 7ovg
00003890   004A3890      0   gate.%s
00003898   004A3898      0   ns.%s
000038A0   004A38A0      0   relay.%s
000038AC   004A38AC      0   mail1.%s
000038B8   004A38B8      0   mxs.%s
000038C0   004A38C0      0   mx1.%s
000038C8   004A38C8      0   smtp.%s
000038D0   004A38D0      0   mail.%s
000038D8   004A38D8      0   mx.%s
0000A009   004AA009      0   CreateFileMappingA
0000A01D   004AA01D      0   FindNextFileA
0000A02C   004AA02C      0   FindFirstFileA
0000A03C   004AA03C      0   GetEnvironmentVariableA
0000A055   004AA055      0   GetWindowsDirectoryA
0000A06B   004AA06B      0   GetDriveTypeA
0000A07A   004AA07A      0   GetFileSize
0000A087   004AA087      0   FindClose
0000A092   004AA092      0   FileTimeToSystemTime
0000A0A8   004AA0A8      0   GlobalAlloc
0000A0B5   004AA0B5      0   GetTempFileNameA
0000A0C7   004AA0C7      0   SetFilePointer
0000A0D7   004AA0D7      0   GetSystemTime
0000A0E6   004AA0E6      0   GetCurrentThread
0000A0F8   004AA0F8      0   WriteFile
0000A103   004AA103      0   LoadLibraryA
0000A111   004AA111      0   lstrcpyA
0000A11B   004AA11B      0   CloseHandle
0000A128   004AA128      0   GetFileAttributesA
0000A13C   004AA13C      0   CreateFileA
0000A149   004AA149      0   lstrlenA
0000A153   004AA153      0   GetTempPathA
0000A161   004AA161      0   GetSystemDirectoryA
0000A176   004AA176      0   lstrcatA
0000A180   004AA180      0   GetLastError
0000A18E   004AA18E      0   CreateMutexA
0000A19C   004AA19C      0   CopyFileA
0000A1A7   004AA1A7      0   DeleteFileA
0000A1B4   004AA1B4      0   SetFileAttributesA
0000A1C8   004AA1C8      0   GetModuleFileNameA
0000A1DC   004AA1DC      0   SystemTimeToFileTime
0000A1F2   004AA1F2      0   GetSystemTimeAsFileTime
0000A20B   004AA20B      0   Sleep
0000A212   004AA212      0   ExitThread
0000A21E   004AA21E      0   WaitForSingleObject
0000A233   004AA233      0   CreateProcessA
0000A243   004AA243      0   CreateThread
0000A251   004AA251      0   GetTickCount
0000A25F   004AA25F      0   ExitProcess
0000A26C   004AA26C      0   GetTimeZoneInformation
0000A284   004AA284      0   MapViewOfFile
0000A293   004AA293      0   FileTimeToLocalFileTime
0000A2AC   004AA2AC      0   GetLocalTime
0000A2BA   004AA2BA      0   WideCharToMultiByte
0000A2CF   004AA2CF      0   GetProcAddress
0000A2DF   004AA2DF      0   GetModuleHandleA
0000A2F1   004AA2F1      0   HeapFree
0000A2FB   004AA2FB      0   GetProcessHeap
0000A30B   004AA30B      0   HeapAlloc
0000A316   004AA316      0   lstrcpynA
0000A321   004AA321      0   lstrcmpA
0000A32B   004AA32B      0   lstrcmpiA
0000A336   004AA336      0   GlobalFree
0000A342   004AA342      0   InterlockedDecrement
0000A358   004AA358      0   InterlockedIncrement
0000A36E   004AA36E      0   ReadFile
0000A378   004AA378      0   UnmapViewOfFile
0000A389   004AA389      0   SetThreadPriority
0000A3A5   004AA3A5      0   RegCloseKey
0000A3B2   004AA3B2      0   RegOpenKeyExA
0000A3C1   004AA3C1      0   RegSetValueExA
0000A3D1   004AA3D1      0   RegQueryValueExA
0000A3E3   004AA3E3      0   RegEnumKeyA
0000A3F0   004AA3F0      0   RegCreateKeyExA
0000A40A   004AA40A      0   memset
0000A412   004AA412      0   tolower
0000A41B   004AA41B      0   memcpy
0000A423   004AA423      0   isdigit
0000A42C   004AA42C      0   toupper
0000A435   004AA435      0   isxdigit
0000A43F   004AA43F      0   isalnum
0000A448   004AA448      0   isspace
0000A45A   004AA45A      0   CharUpperBuffA
0000A46A   004AA46A      0   CharUpperA
0000A476   004AA476      0   CharLowerA
0000A482   004AA482      0   wvsprintfA
0000A48E   004AA48E      0   wsprintfA
0000A5CB   004AA5CB      0   .text
0000A5F3   004AA5F3      0   .rsrc
0000C290   004AC290      0   KERNEL32.DLL
0000C29D   004AC29D      0   ADVAPI32.dll
0000C2AA   004AC2AA      0   MSVCRT.dll
0000C2B5   004AC2B5      0   USER32.dll
0000C2C0   004AC2C0      0   WS2_32.dll
0000C2CC   004AC2CC      0   LoadLibraryA
0000C2DA   004AC2DA      0   GetProcAddress
0000C2EA   004AC2EA      0   ExitProcess
0000C2F8   004AC2F8      0   RegCloseKey
0000C306   004AC306      0   memset
0000C30E   004AC30E      0   wsprintfA

-- 
Best regards,
 Thierry                            mailto:Thierry@...ff-em.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ