[<prev] [next>] [day] [month] [year] [list]
Date: Tue Aug 9 02:50:51 2005
From: arjunior at attps.com.br (Armando Rogerio Brandão Guimaraes Junior)
Subject: What is this
This link came through MSN chat.
The IM worm inserted this link in chat.
Armando Guimar?es Jr
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Ron
Sent: segunda-feira, 08 de agosto de 2005 16:06
To: michael.ligh@...n.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] What is this
I've seen something very similar spreading as an IM worm. There's a
pretty good chance he got it from AIM or MSN. Of course, it could also
be a classic email worm, who knows?
Michael Hale wrote:
> Anti virus doesn't detect it because its packed with ASProtect 1.2.x
> (using StudPE). You can see the difference when it's dumped out of RAM
> into it's uncompressed/decrypted form (see VirusTotal results below).
> My interest is where you came across this URL. Can you provide that
> information?
>
> Scan results
> File: DUMPED.php
> Date: 08/08/2005 20:39:56 (CET)
> ----
> AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus]
> Avast 4.6.695.0/20050808 found nothing
> AVG 718/20050807 found nothing
> Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus]
> BitDefender 7.0/20050808 found nothing
> CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan]
> ClamAV devel-20050725/20050808 found [Trojan.Mybot-312]
> DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118]
> eTrust-Iris 7.1.194.0/20050806 found nothing
> eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot]
> Fortinet 2.36.0.0/20050808 found [suspicious]
> F-Prot 3.16c/20050808 found nothing
> Ikarus 0.2.59.0/20050808 found nothing
> Kaspersky 4.0.2.24/20050808 found nothing
> McAfee 4552/20050808 found [New Malware.b]
> NOD32v2 1.1187/20050805 found [BAT/NoShare.L]
> Norman 5.70.10/20050805 found nothing
> Panda 8.02.00/20050808 found nothing
> Sophos 3.96.0/20050808 found nothing
> Sybari 7.5.1314/20050808 found [Win32.Slinbot]
> Symantec 8.0/20050808 found [W32.Randex]
> TheHacker 5.8.2.082/20050808 found nothing
> VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2]
>
> On 8/8/05, trains@...torunix.com <trains@...torunix.com> wrote:
>
>>Quoting Armando Rogerio Brand?o Guimaraes Junior <arjunior@...ps.com.br>:
>>
>>
>>>Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php
>>>AntiVirus and SpyBot doesn?t detect!!!
>>>
>>>Armando Guimar?es Jr
>>
>>It is an MS-EXE executable program. Anti virus doesn't find it because
>>it is not an virus. Spybot for the same reason. To block these you
>>need an smtp policy that does not allow executable attachments to
>>incoming emails.
>>
>>"What it does" could be anything from typing "hello world" in a dialog
>>box (unlikely) to creating a new Administrator account on your
>>corporate AD server and posting the entire contents thereof to an IRC
>>channel (somewhat more likely). But at first glance it looks like it
>>is going to open a backdoor shell on the recipient's PC.
>>
>>tc
>>
>>
>>
>>----------------------------------------------------------------
>>This message was sent using IMP, the Internet Messaging Program.
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists