lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BGEDKGEPFMNHFJEBHFPIMEBLCBAA.ajrarn1@ifrance.com>
From: ajrarn1 at ifrance.com (ajrarn)
Subject: Backdoor not recognized by Kaspersky

It's a worm, detected by OfficeScan (patern 697)  as bagle.J.

Regards. Yoran

 | -----Message d'origine-----
 | De : full-disclosure-admin@...ts.netsys.com
 | [mailto:full-disclosure-admin@...ts.netsys.com]De la part de Kristian
 | Hermansen
 | Envoye : mardi 2 mars 2004 23:34
 | A : full-disclosure@...ts.netsys.com
 | Objet : [Full-Disclosure] Backdoor not recognized by Kaspersky
 |
 |
 | Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
 | this file recently, but Kaspersky did not detect malicious code.
 |  Wondering
 | if any of you guys know about it or have analyzed it before?  It is
 | definitely NOT a text document.  I opened it up with WinHex and
 | see the file
 | "yfivyjmg.exe" in there towards the beginning.  Looks to be a packed exe
 | within, and first few bytes are:
 |
 | 504B03040A0001000000C07E62309FE242510C300000003000000C00000079666
 | 976796A6D67
 | 2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE71
 | 2E68000E55E
 | E8A39241
 |
 | Last few bytes are:
 |
 | E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EA
 | E0D2BA2A6EF
 | 88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309
 | FE242510C30
 | 0000003000000C000000000000000100200000000000000079666976796A6D672
 | E657865504B
 | 050600000000010001003A000000363000000000
 |
 | I am reluctant to open the zip right now, as I fear it may be
 | exploiting an
 | overflow to run the EXE file within.  I may try to open it on a virtual
 | machine later, but if you guys do know anything about this one
 | please let me
 | know.  It's nice and small too (12 KB)!  Wonder if the guy wrote
 | it himself.
 | Of course, the IP address is spoofed to a University of Chicago
 | machine.  Is
 | it even possible to trace back?  I still have the full headers, but they
 | looked nicely stripped to the gills.  I have been receiving
 | elevated attacks
 | via email over the last few days, so maybe it is some guy on this list
 | trying to get me ;-)  One previous email stated that it was the
 | FBI and to
 | call a number listed in the email.  This was most likely an
 | attempt to get
 | the number I was calling from.  This guy thinks he's smooth...
 |
 |
 | Kristian Hermansen
 | khermansen@...technology.com
 |
 | -----Original Message-----
 | From: management@...otoys.com [mailto:management@...ankedout}.com]
 | Sent: Tuesday, March 02, 2004 5:03 PM
 | To: webmaster@...ankedout}.com
 | Subject: E-mail account security warning.
 |
 | Dear user of  {blankedout}.com  gateway e-mail server,
 |
 | Your  e-mail account has been temporary disabled because of unauthorized
 | access.
 |
 | For details see the attached file.
 |
 | For security  purposes  the  attached file  is password
 | protected.  Password
 | is "65316".
 |
 | Best  wishes,
 |     The {blankedout}.com  team                               http://www.
 | {blankedout}..com
 |


Powered by blists - more mailing lists