lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Aug  8 19:48:42 2005
From: michael.hale at gmail.com (Michael Hale)
Subject: What is this

Anti virus doesn't detect it because its packed with ASProtect 1.2.x
(using StudPE). You can see the difference when it's dumped out of RAM
into it's uncompressed/decrypted form (see VirusTotal results below).
My interest is where you came across this URL. Can you provide that
information?

Scan results
 File: DUMPED.php
 Date: 08/08/2005 20:39:56 (CET)
----
AntiVir 6.31.1.0/20050808       found [BDS/SdBot.Gen.Plus]
Avast   4.6.695.0/20050808      found nothing
AVG     718/20050807    found nothing
Avira   6.31.1.0/20050808       found [BDS/SdBot.Gen.Plus]
BitDefender     7.0/20050808    found nothing
CAT-QuickHeal   7.03/20050808   found [(Suspicious) - DNAScan]
ClamAV  devel-20050725/20050808 found [Trojan.Mybot-312]
DrWeb   4.32b/20050808  found [BackDoor.IRC.Sdbot.118]
eTrust-Iris     7.1.194.0/20050806      found nothing
eTrust-Vet      11.9.1.0/20050808       found [Win32.Slinbot]
Fortinet        2.36.0.0/20050808       found [suspicious]
F-Prot  3.16c/20050808  found nothing
Ikarus  0.2.59.0/20050808       found nothing
Kaspersky       4.0.2.24/20050808       found nothing
McAfee  4552/20050808   found [New Malware.b]
NOD32v2 1.1187/20050805 found [BAT/NoShare.L]
Norman  5.70.10/20050805        found nothing
Panda   8.02.00/20050808        found nothing
Sophos  3.96.0/20050808 found nothing
Sybari  7.5.1314/20050808       found [Win32.Slinbot]
Symantec        8.0/20050808    found [W32.Randex]
TheHacker       5.8.2.082/20050808      found nothing
VBA32   3.10.4/20050808 found [suspected of Backdoor.RxBot.2]

On 8/8/05, trains@...torunix.com <trains@...torunix.com> wrote:
> Quoting Armando Rogerio Brand?o Guimaraes Junior <arjunior@...ps.com.br>:
> 
> > Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php
> > AntiVirus and SpyBot doesn?t detect!!!
> >
> > Armando Guimar?es Jr
> 
> It is an MS-EXE executable program.  Anti virus doesn't find it because
> it is not an virus.  Spybot for the same reason.  To block these you
> need an smtp policy that does not allow executable attachments to
> incoming emails.
> 
> "What it does" could be anything from typing "hello world" in a dialog
> box (unlikely) to creating a new Administrator account on your
> corporate AD server and posting the entire contents thereof to an IRC
> channel (somewhat more likely).  But at first glance it looks like it
> is going to open a backdoor shell on the recipient's PC.
> 
> tc
> 
> 
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ