Bugtraq mailing list archives
Re: what is this?
From: Jose Nazario <jose () monkey org>
Date: Mon, 14 Jan 2008 10:44:13 -0500 (EST)
On Sun, 13 Jan 2008, crazy frog crazy frog wrote:
http://secgeeks.com/what.zip password is 12345 can somebody guide/help me what is this and how can i remove it?
te file you sent here contains a bunch of embeded nulls (every other character is 00). stripping those out reveals ...
that it's a collection of browser exploits. by the looks of it it's MPack and uses the heapspray slide stuff.
the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead) as a local file c:\\mosvs8.exe and then run it.
very common exploit scenario these days (but they usually have some form of js obfuscation going on).
i hope this helps. ________ jose nazario, ph.d. http://monkey.org/~jose/
Current thread:
- what is this? crazy frog crazy frog (Jan 14)
- Re: what is this? crazy frog crazy frog (Jan 14)
- Re: what is this? Robert McArdle (Jan 14)
- Re: [Full-disclosure] what is this? 3APA3A (Jan 14)
- Re: [Full-disclosure] what is this? Nick FitzGerald (Jan 14)
- Re: [Full-disclosure] what is this? crazy frog crazy frog (Jan 14)
- Re: [Full-disclosure] what is this? Nick FitzGerald (Jan 14)
- Re: what is this? Jose Nazario (Jan 14)
- Re: what is this? crazy frog crazy frog (Jan 14)
- RE: what is this? Mario Contestabile (Jan 14)
- Re[2]: [Full-disclosure] what is this? 3APA3A (Jan 14)
- Message not available
- Re: what is this? Robert McArdle (Jan 14)
- Re: what is this? crazy frog crazy frog (Jan 14)
- Re: what is this? Gadi Evron (Jan 14)
- Re: what is this? Denis (Jan 15)
- Re: what is this? crazy frog crazy frog (Jan 15)
- Re: [Full-disclosure] what is this? Nick FitzGerald (Jan 15)
- Re: [Full-disclosure] what is this? crazy frog crazy frog (Jan 15)
- Re: [Full-disclosure] what is this? Gadi Evron (Jan 15)
- Re: what is this? crazy frog crazy frog (Jan 15)