lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9E97F0997FB84D42B221B9FB203EFA271715C7@dc1ms2.msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: New virus?

Looks like WINKERNEL132.EXE is the dropper file. The server that is
offering those files is pretty tight, but the Apache isn't setup
correctly. You can get any file...including the passwd file. Nessus
reported this, don't have time to find out...just FYI.

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of the rxmr
Sent: Monday, September 27, 2004 2:14 PM
To: Bernardo Santos Wernesback
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] New virus?

----- Original Message -----
From: Bernardo Santos Wernesback <bernardo@....com.br>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-Disclosure] New virus?
To: full-disclosure@...ts.netsys.com

 
Hi everyone, 
  
Has anyone seen a lot of HTTP activity to a certain site:
http://www.fotosgratis.pop.com.br ?
  
One of our clients has several machines making tons of requests for TXT
files on that server:
  
botao.txt
mswinsck.txt
ita01.txt
caixa01.txt
teclado07.txt
caixa01.txt
caixa02.txt
caixa03.txt
caixa04.txt
caixa05.txt 
  
Thanks for any info., 
 
 

_____________________________________________________ 
 

Bernardo Santos Wernesback 

 
 

ESSE,ESS,SCSE,CCNA/DA, 
 

CCSA,CQS,MCP 
 

  
 


Consultant / ISH Tecnologia  

  
 

Phone: +55-27-3334-8900 

 
 

Mobile: +55-27-8111-0884 
 

Email: bernardo@....com.br 

  PGP Fingerprint:
   6A42 3701 70D7 FD0F 5FA9  D232 CDD4 6189 EF43 95F5  
  
This should answer your quetions.

It is a trojan - TROJ_BANCOS.BW or a variant.

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
name=TROJ_BANCOS.BW

>From the page:

"
Description:

This Trojan attempts to download the following image files in the folder
%Windows%\inf:

    * botao.bmp
    * caixa01.jpg
    * caixa02.jpg
    * caixa04.jpg
    * caixa05.jpg
    * ita01.jpg
    * teclado_05.jpg
    * teclado_07.jpg
    * teclado_gere03.jpg
    * teclado_gere04.jpg
    * teclado_gere05.jpg
    * teclado_gere06.jpg
"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ