lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <6587.1078313647@www62.gmx.net> From: Borbarad at gmxpro.net (Oliver Schneider) Subject: Backdoor not recognized by Kaspersky I agree that it might be Bagle.J, but F-Risk claims it's: "The unpacked file's size is over 49 kilobytes." For me it was: yfivyjmg.exe was UPXed and has: MD5: b2e0559c9c3cea7bb7c37daec64e0f88 Size: 12288 Bytes yfivyjmg.exe unpacked has: MD5: 58f05e9519b3bd825fd6af936f4b2aed Size: 22016 Bytes The EXE itself does the following: --------------------------------------------------------------------- - Initializes COM - Then it writes itself into the Run-Key in registry using different names ... ... ... - The following text describes something about the intentions: db '############################################################' db '##################',0Dh,0Ah db 'Hey, NetSky, fuck off you bitch, don',27h,'t ruine our bussi' db 'ness, wanna start a war?',0Dh,0Ah db 0Dh,0Ah,0 db 0 ; It's all about spam sent via trojan-proxies, as uncovered by the German computer magazine c't recently. -> http://www.heise.de/ct/ The "virus" obviously has backdoor capabilities. It has its own SMTP engine several strings which may appear in the mails sent (social engineering part) and the ZIP was password protected just because of the social engineering! Also it searches for "shar" in folder names and copies itself there under the following names: 'Microsoft Office 2003 Crack, Working!.exe',0 'Microsoft Office XP working Crack, Keygen.exe',0 'Microsoft Windows XP, WinXP Crack, working Keygen.exe',0 'Porno Screensaver.scr',0 'Porno, sex, oral, anal cool, awesome!!.exe',0 'Porno pics arhive, xxx.exe',0 'Serials.txt.exe',0 'Windown Longhorn Beta Leak.exe',0 'Windows Sourcecode update.doc.exe',0 'XXX hardcore images.exe',0 'Opera 8 New!.exe',0 'WinAmp 5 Pro Keygen Crack Update.exe',0 'WinAmp 6 New!.exe',0 'Matrix 3 Revolution English Subtitles.exe',0 'Adobe Photoshop 9 full.exe',0 'Ahead Nero 7.exe',0 'ACDSee 9.exe',0 All these string and the message string for the faked emails look much like the Bagle.J description from F-Risk. Maybe they stripped something from it. I just skimmed the description, didn't really read it ;) Well, that's probably a brand-new worm ;) -> Bagle.K? Oliver -- --------------------------------------------------- May the source be with you, stranger ;) Contacts / Kontakte eMail: Assarbad@....net|info|de|com ICQ UIN #281645 http://assarbad.org & http://assarbad.net & http://assarbad.info
Powered by blists - more mailing lists