lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040216001356.2888E2B4D6C@mail.evilcoder.org>
From: remko at elvandar.org (Remko Lodder)
Subject: http://federalpolice.com:article872@...5686747

Hi,

Just wanted to reply on this

my Mailscanner reported this:
Our content checker found
    virus: TrojanSpy.Agent.D
in an email to you from:

stating this from the message Nicola send.

I think that could give some more info.

Anyways. My AV scanner is ClamAV.

Cheers.
--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene

mrtg.grunn.org Dutch mirror of MRTG

-----Oorspronkelijk bericht-----
Van: full-disclosure-bounces@...ts.elvandar.org
[mailto:full-disclosure-bounces@...ts.elvandar.org]Namens Erik van
Straten
Verzonden: zondag 15 februari 2004 23:40
Aan: Nicola Fankhauser
CC: full-disclosure@...ts.netsys.com
Onderwerp: Re: [Full-Disclosure]
http://federalpolice.com:article872@...5686747


Hi Nicola,

It's not a zip file, not an applet, but a plain EXE file. Seems
compressed somehow, no time to figure it out now. Dunno why Mozilla
runs this (I don't like it).

If something showed up in your status bar, you should definitely assume
your box was compromised.

Take care out there,
Erik

On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
> hi jedi
>
> On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:
> >   This is equivalent to http://64.29.173.91/
>
> ok, and the html of the index page is as following:
>
> <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
> <h2>SERVER ERROR 550</h2>
> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1
HEIGHT=1></applet></body></html>
>
> now, the "SERVER ERROR 550" is clearly a fake - the java applet below
> just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
> yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
> happily start the applet without any hickups or exceptions and mozilla
> states 'Applet BlackBox started' in the status bar.
>
> is there anybody knowledgable interested in un-zipping, de-compiling and
> analysing this surely malicious applet? I would like to know what
> mozilla just executed on my behalf there... :(
>
> FYI, the file 'javautil.zip' attached is directly taken from the site
> mentioned above.
>
> regards
> nicola
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-disclosure mailing list
Full-disclosure@...ts.elvandar.org
http://lists.elvandar.org/mailman/listinfo/full-disclosure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ