lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <04Mar2.173430-0500_est.324867-27876+6580@ams.ftl.affinity.com>
From: khermansen at ht-technology.com (Kristian Hermansen)
Subject: Backdoor not recognized by Kaspersky

Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
this file recently, but Kaspersky did not detect malicious code.  Wondering
if any of you guys know about it or have analyzed it before?  It is
definitely NOT a text document.  I opened it up with WinHex and see the file
"yfivyjmg.exe" in there towards the beginning.  Looks to be a packed exe
within, and first few bytes are:

504B03040A0001000000C07E62309FE242510C300000003000000C00000079666976796A6D67
2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE712E68000E55E
E8A39241

Last few bytes are:

E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EAE0D2BA2A6EF
88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309FE242510C30
0000003000000C000000000000000100200000000000000079666976796A6D672E657865504B
050600000000010001003A000000363000000000

I am reluctant to open the zip right now, as I fear it may be exploiting an
overflow to run the EXE file within.  I may try to open it on a virtual
machine later, but if you guys do know anything about this one please let me
know.  It's nice and small too (12 KB)!  Wonder if the guy wrote it himself.
Of course, the IP address is spoofed to a University of Chicago machine.  Is
it even possible to trace back?  I still have the full headers, but they
looked nicely stripped to the gills.  I have been receiving elevated attacks
via email over the last few days, so maybe it is some guy on this list
trying to get me ;-)  One previous email stated that it was the FBI and to
call a number listed in the email.  This was most likely an attempt to get
the number I was calling from.  This guy thinks he's smooth...


Kristian Hermansen
khermansen@...technology.com

-----Original Message-----
From: management@...otoys.com [mailto:management@...ankedout}.com] 
Sent: Tuesday, March 02, 2004 5:03 PM
To: webmaster@...ankedout}.com
Subject: E-mail account security warning.

Dear user of  {blankedout}.com  gateway e-mail server,

Your  e-mail account has been temporary disabled because of unauthorized
access.

For details see the attached file.

For security  purposes  the  attached file  is password protected.  Password
is "65316".

Best  wishes,
    The {blankedout}.com  team                               http://www.
{blankedout}..com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TextDocument.zip
Type: application/octet-stream
Size: 12422 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040302/b8acb2dc/TextDocument.obj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ