lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <42F0DDC9.5929.682293E8@localhost>
Date: Wed Aug  3 04:08:17 2005
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Virus on web site

Peter B. Harvey wrote:

> An update the Virus is a HAXDOOR variant which is a backdoor.
> Symantec and Trend also now detect it.

And most other "major" AV engines -- about an hour before you posted, I 
got this result from 22 virus scanners with different engines:

   Win32:Haxdoor-AE [Trj]
   BDS/Haxdoor.DW.1
   BackDoor.Generic.HKX
   Backdoor.Win32.Haxdoor.dw
   BackDoor.Haxdoor
   BackDoor-BAC.gen.b
   Backdoor.Win32.Haxdoor.DW
   Trojan Horse
   Win32/Haxdoor
   Bck/Haxdoor.DG
   BKDR_HAXDOOR.CI
   Troj/Haxdor-Gen
   Win32.Haxdoor.AF
   Win32/Banker.50353!Trojan
   Backdoor.Haxdoor.DM1

> The virus is spread by an iframe or link in an email asking to go to
> a compromised website. The latest site seen is:
> http://crbmarketing.[...]
> 
> This opens up a two frame page with A hotmail look alike login screen
> which appears to be used to steal passport credentials to anyone
> foolish enough to enter them.
> 
> The other frame is only a couple of pizels high at the top. This
> opens an IFRAME to
> http://crbmarketing.[...]
> 
> This page looks like an advert for a samsung phone but contains two
> objects
> http://crbmarketing.[...]
> 
> 
> http://crbmarketing.[...]
> JS_PSYME.AT
> 
> These emails will get past most content scanners as they are just an
> HTML email. SPAM engines might catch them.
> 
> A new variant just came in and it appears to be just using the
> javascript component
> http://mistysunshine.[...]
> IFRAME at the top points to
> http://besttraff.[...]
> 
> Again have Javascript turned off before looking at the sites

All those sites are now returning "closed for maintenance" or "closed 
for ToS abuse" style pages...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ