lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6587.1078313647@www62.gmx.net>
From: Borbarad at gmxpro.net (Oliver Schneider)
Subject: Backdoor not recognized by Kaspersky

I agree that it might be Bagle.J, but F-Risk claims it's:

"The unpacked file's size is over 49 kilobytes."

For me it was:

yfivyjmg.exe was UPXed and has:
            MD5:  b2e0559c9c3cea7bb7c37daec64e0f88
            Size: 12288 Bytes
yfivyjmg.exe unpacked has:
            MD5:  58f05e9519b3bd825fd6af936f4b2aed
            Size: 22016 Bytes

The EXE itself does the following:
---------------------------------------------------------------------
- Initializes COM
- Then it writes itself into the Run-Key in registry
  using different names
...
...
...
- The following text describes something about the intentions:
db '############################################################'
db '##################',0Dh,0Ah
db 'Hey, NetSky, fuck off you bitch, don',27h,'t ruine our bussi'
db 'ness, wanna start a war?',0Dh,0Ah
db 0Dh,0Ah,0
db    0 ;
      
It's all about spam sent via trojan-proxies, as uncovered by the
German computer magazine c't recently. -> http://www.heise.de/ct/

The "virus" obviously has backdoor capabilities. It has its own SMTP
engine several strings which may appear in the mails sent (social
engineering part) and the ZIP was password protected just because of
the social engineering!
Also it searches for "shar" in folder names and copies itself there
under the following names:

'Microsoft Office 2003 Crack, Working!.exe',0
'Microsoft Office XP working Crack, Keygen.exe',0
'Microsoft Windows XP, WinXP Crack, working Keygen.exe',0
'Porno Screensaver.scr',0
'Porno, sex, oral, anal cool, awesome!!.exe',0
'Porno pics arhive, xxx.exe',0
'Serials.txt.exe',0
'Windown Longhorn Beta Leak.exe',0
'Windows Sourcecode update.doc.exe',0
'XXX hardcore images.exe',0
'Opera 8 New!.exe',0
'WinAmp 5 Pro Keygen Crack Update.exe',0
'WinAmp 6 New!.exe',0
'Matrix 3 Revolution English Subtitles.exe',0
'Adobe Photoshop 9 full.exe',0
'Ahead Nero 7.exe',0
'ACDSee 9.exe',0

All these string and the message string for the faked emails look much
like the Bagle.J description from F-Risk. Maybe they stripped something
from it. I just skimmed the description, didn't really read it ;)

Well, that's probably a brand-new worm ;) -> Bagle.K?

Oliver

-- 
---------------------------------------------------
May the source be with you, stranger ;)

Contacts / Kontakte
eMail: Assarbad@....net|info|de|com
ICQ UIN #281645
http://assarbad.org & http://assarbad.net & http://assarbad.info


Powered by blists - more mailing lists