| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6d456c3604080915221541d5b7@mail.gmail.com> From: tremaine at gmail.com (Tremaine) Subject: New Bagle variant The worm itself is packed with PeX, uses its own SMTP engine and contains a Mitglieder-like downloader. It also opens a backdoor using TCP and UDP port 2480 on the compromised machine. The virus will transmit over SMTP, P2P and SMB. The following reg keys will be present: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\win_upd2. exe = %System%\WINdirect.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\erthgdr = %System%\windll.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ru1n The zip file contains non-functional code to password protect the zip. It will attempt to send itself to email addresses it gathers from the system from files with the following extensions on the compromised system: .adb .asp .cfg .cgi .dbx .dhtm .eml .htm .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .sht .shtm .stm .tbb .txt .uin .wab .wsh .xls .xml -- Tremaine IT Security Consultant
Powered by blists - more mailing lists