lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BGEDKGEPFMNHFJEBHFPIMEBLCBAA.ajrarn1@ifrance.com> From: ajrarn1 at ifrance.com (ajrarn) Subject: Backdoor not recognized by Kaspersky It's a worm, detected by OfficeScan (patern 697) as bagle.J. Regards. Yoran | -----Message d'origine----- | De : full-disclosure-admin@...ts.netsys.com | [mailto:full-disclosure-admin@...ts.netsys.com]De la part de Kristian | Hermansen | Envoye : mardi 2 mars 2004 23:34 | A : full-disclosure@...ts.netsys.com | Objet : [Full-Disclosure] Backdoor not recognized by Kaspersky | | | Attached backdoor not recognized by Kaspersky or Norton 2004? I received | this file recently, but Kaspersky did not detect malicious code. | Wondering | if any of you guys know about it or have analyzed it before? It is | definitely NOT a text document. I opened it up with WinHex and | see the file | "yfivyjmg.exe" in there towards the beginning. Looks to be a packed exe | within, and first few bytes are: | | 504B03040A0001000000C07E62309FE242510C300000003000000C00000079666 | 976796A6D67 | 2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE71 | 2E68000E55E | E8A39241 | | Last few bytes are: | | E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EA | E0D2BA2A6EF | 88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309 | FE242510C30 | 0000003000000C000000000000000100200000000000000079666976796A6D672 | E657865504B | 050600000000010001003A000000363000000000 | | I am reluctant to open the zip right now, as I fear it may be | exploiting an | overflow to run the EXE file within. I may try to open it on a virtual | machine later, but if you guys do know anything about this one | please let me | know. It's nice and small too (12 KB)! Wonder if the guy wrote | it himself. | Of course, the IP address is spoofed to a University of Chicago | machine. Is | it even possible to trace back? I still have the full headers, but they | looked nicely stripped to the gills. I have been receiving | elevated attacks | via email over the last few days, so maybe it is some guy on this list | trying to get me ;-) One previous email stated that it was the | FBI and to | call a number listed in the email. This was most likely an | attempt to get | the number I was calling from. This guy thinks he's smooth... | | | Kristian Hermansen | khermansen@...technology.com | | -----Original Message----- | From: management@...otoys.com [mailto:management@...ankedout}.com] | Sent: Tuesday, March 02, 2004 5:03 PM | To: webmaster@...ankedout}.com | Subject: E-mail account security warning. | | Dear user of {blankedout}.com gateway e-mail server, | | Your e-mail account has been temporary disabled because of unauthorized | access. | | For details see the attached file. | | For security purposes the attached file is password | protected. Password | is "65316". | | Best wishes, | The {blankedout}.com team http://www. | {blankedout}..com |
Powered by blists - more mailing lists