lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY12-F22lUSLWeF6C800027b04@hotmail.com>
From: randnut at hotmail.com (first last)
Subject: http://federalpolice.com:article872@...5686747

That file is called TrojanSpy.Win32.Agent.d according to kaspersky (go to 
www.kaspersky.com and click online virus checker link or 
http://www.kaspersky.com/remoteviruschk.html).

No description from Kaspersky but I had a _very_ quick look at the unpacked 
code, so it may do more:

- sends contents of <windir>\kgn.txt in an email to 194.67.23.10 
(smtp.mail.ru)
	- "MAIL FROM:<pentasatan@...l.ru>\r\n"
	- "Subject: KeyLog from (%s)\r\n\r\n"
- writes path name to 
"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE"
- copies itself to windows dir
- extracts "HookerDll.Dll" from itself and copies it to windows dir
- probably will register the dll and make internet explorer load it each 
time it loads

I think it's the same programmer who wrote updatte. There's similar code and 
data in it.

>From: "Erik van Straten" <emvs.fd.3FB4D11C@....tn.tudelft.nl>
>
>Hi Nicola,
>
>It's not a zip file, not an applet, but a plain EXE file. Seems
>compressed somehow, no time to figure it out now. Dunno why Mozilla
>runs this (I don't like it).
>
>If something showed up in your status bar, you should definitely assume
>your box was compromised.
>
>Take care out there,
>Erik
>
>On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
> > hi jedi
> >
> > On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:
> > >   This is equivalent to http://64.29.173.91/
> >
> > ok, and the html of the index page is as following:
> >
> > <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
> > <h2>SERVER ERROR 550</h2>
> > <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 
>HEIGHT=1></applet></body></html>
> >
> > now, the "SERVER ERROR 550" is clearly a fake - the java applet below
> > just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
> > yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
> > happily start the applet without any hickups or exceptions and mozilla
> > states 'Applet BlackBox started' in the status bar.
> >
> > is there anybody knowledgable interested in un-zipping, de-compiling and
> > analysing this surely malicious applet? I would like to know what
> > mozilla just executed on my behalf there... :(
> >
> > FYI, the file 'javautil.zip' attached is directly taken from the site
> > mentioned above.
> >
> > regards
> > nicola
> >
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
Choose now from 4 levels of MSN Hotmail Extra Storage - no more account 
overload! http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ