lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41410F49.8030205@austarnet.com.au>
From: spamtrap2 at austarnet.com.au (James Woodcock)
Subject: Any idea about that?

Syed Imran Ali wrote:

 > I received this file through email (Yahoo) nothing was detected from
 > Yahoo or NAV 2003. According to my understanding this is some kind of
 > worm or irc-bot. I found this file making connections on port 6667
 > 6660 and opening major important ports on the infected PC.


The zip file contains a file called sexygirl.exe. It's actually just an 
HTML document gives a download link for another file called 
"sexygirl.exe" from www.pcpages.com/imbonga/

On Mozilla 1.7, I still needed to click on the link to start the 
download, but there is this javascript in there that might do something 
under the right conditions?

 > document write
 > ("<A 
HREF='http://banner2.inet-traffic.com/oasisc.php?s=3&w=300&h=60&cb=" + 
spreeaddatestr + "'>")
 > document write ("<IMG 
SRC='http://banner2.inet-traffic.com/oasisi.php?s=3&w=300&h=60&cb=" + 
spreeaddatestr + "?' WIDTH=468 HEIGHT=60 BORDER=0 ALT='Click Here'></A>")


the spreeaddatestr is clear enough, (a set of time values - For tracking 
the spread?) but what oasisc.php is doing with those values, who knows?

Anyway, I sent the second sexygirl.exe file off to virustotal and here's 
the results

Scan results from VirusTotal
  File: sexygirl2.exe
  Date: 09/10/2004 03:38:33
----
BitDefender	7.0/20040909		found [Backdoor.SDBot.Gen]
NOD32v2		1.867/20040909		found [prob. unknown NewHeur_PE]
Norman		5.70.10/20040909	found [W32/Backdoor]
Panda		7.02.00/20040909	found [W32/Gaobot.gen.worm]
Sybari		7.5.1314/20040910	found [Win32/IRCBot.Variant]
McAfee		4390/20040908		found nothing
McAfee		4390/20040908		found nothing
Symantec	8.0/20040909		found nothing
TrendMicro	7.000/20040908		found nothing
ClamWin	     devel-20040822/20040908	found nothing

That's the nasty one.

James

--
This isn't life in the fast lane, this is life in the oncoming traffic!
					...Terry Pratchett

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ