[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ELEOLHOJFMBPBFCJHOCIOEAPDJAA.aditya.deshmukh@online.gateway.technolabs.net>
From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh])
Subject: Re: http://federalpolice.com:article872@...5686747
this is a keylogger that will mail out your intresting logs to some russian address!
so beware of this one,
but what i couldent understand is how is this file executed ?
-aditya
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
> n.teusink@...net.nl
> Sent: Sunday, February 15, 2004 11:40 PM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re:
> http://federalpolice.com:article872@...5686747
>
>
> From the source of that page:
>
> APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1
>
> BlackBox.class is detected immediately by my virusscanner as
> ClassLoader/E, more
> info:
> http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm
>
> The javautil.zip appears to be an exe file renamed to zip. The
> exe is compressed with
> FSG.
>
> Interresting pieces of output from strings on the decompressed exe:
>
>
> ----------------------------------------------BEGIN
> HookerDll.Dll
> Install
> Uninstall
> EDIT
> %s\%s
> WVS3
> \kgn.txt
> Hooker.dll
> Install
> Uninstall
> Westpac
> bendigo
> Bendigo
> e-bendigo
> e-Bendigo
> commbank
> Commonwealth
> NetBank
> Citibank
> Bank of America
> e-gold
> e-bullion
> e-Bullion
> evocash
> EVOCash
> EVOcash
> intgold
> INTGold
> paypal
> PayPal
> bankwest
> Bank West
> BankWest
> National Internet Banking
> cibc
> CIBC
> scotiabank
> ScotiaBank
> Scotia Bank
> bank of montreal
> Bank of Montreal
> royalbank
> Royal Bank
> RoyalBank
> tdwaterhouse
> TD Canada Trust
> TD Waterhouse
> president's choice
> President's Choice
> President Choice
> suncorpmetway
> Suncorp
> macquarie
> Macquarie
> INTgold
> 1mdc
> 1MDC
> TD Waterhouse
> goldmoney
> GoldMoney
> goldgrams
> pecunix
> Pecunix
> Pecun!x
> hyperwallet
> HyperWallet
> Wells Fargo
> Bank One
> Banesto
> CAIXA
> SunTrust
> Sun Trust
> Discover Card
> Washington Mutual
> Wachovia
> desjardins
> Chase
> 0+060F0
> 1$11161J1U1i1
> 2.2I2\2
> 3'3,3E3c3h3r3
> 4%42484>4D4J4P4V4\4b4h4n4t4z4
> DATA
> EHLO localhost
> Subject: KeyLog from (%s)
> MAIL FROM:<pentasatan@...l.ru>
> RCPT TO:<pentasatan@...l.ru>
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> open
> pstorec.dll
> PStoreCreateInstance
> internet explorer
> http://
> wininetcachecredentials
> Cookie:
> ----------------------------------------------END
>
> I think you can draw your own conclusions about this file.
>
> Niels
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
Powered by blists - more mailing lists