lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <9E97F0997FB84D42B221B9FB203EFA271715C9@dc1ms2.msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: New virus?

Has anyone been able to grab the files from the BR domain server? Are
they using the JPEG hole..just it is just a pishing type thing? 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of the rxmr
Sent: Monday, September 27, 2004 2:14 PM
To: Bernardo Santos Wernesback
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] New virus?

----- Original Message -----
From: Bernardo Santos Wernesback <bernardo@....com.br>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-Disclosure] New virus?
To: full-disclosure@...ts.netsys.com

 
Hi everyone, 
  
Has anyone seen a lot of HTTP activity to a certain site:
http://www.fotosgratis.pop.com.br ?
  
One of our clients has several machines making tons of requests for TXT
files on that server:
  
botao.txt
mswinsck.txt
ita01.txt
caixa01.txt
teclado07.txt
caixa01.txt
caixa02.txt
caixa03.txt
caixa04.txt
caixa05.txt 
  
Thanks for any info., 
 
 

_____________________________________________________ 
 

Bernardo Santos Wernesback 

 
 

ESSE,ESS,SCSE,CCNA/DA, 
 

CCSA,CQS,MCP 
 

  
 


Consultant / ISH Tecnologia  

  
 

Phone: +55-27-3334-8900 

 
 

Mobile: +55-27-8111-0884 
 

Email: bernardo@....com.br 

  PGP Fingerprint:
   6A42 3701 70D7 FD0F 5FA9  D232 CDD4 6189 EF43 95F5  
  
This should answer your quetions.

It is a trojan - TROJ_BANCOS.BW or a variant.

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
name=TROJ_BANCOS.BW

>From the page:

"
Description:

This Trojan attempts to download the following image files in the folder
%Windows%\inf:

    * botao.bmp
    * caixa01.jpg
    * caixa02.jpg
    * caixa04.jpg
    * caixa05.jpg
    * ita01.jpg
    * teclado_05.jpg
    * teclado_07.jpg
    * teclado_gere03.jpg
    * teclado_gere04.jpg
    * teclado_gere05.jpg
    * teclado_gere06.jpg
"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ