Full Disclosure mailing list archives
Re: Sears Scam Trojan Code
From: "Michael Bemmerl" <security () astrobox net>
Date: Thu, 25 Dec 2003 20:19:49 +0100
Hello list!
Hi, usb_d.exe is a UPX packed executable of 24769 bytes (MD5: 32618578cedbfe8b73bbf975e23be1fc) - [info for my broken PE]
It's UPX 1.90 (beta) packed, but I get an other MD5-Sum: c8448185f7bf5c6cc702f4df24d9aa33 *usb_d.exe (decompressed) b33ddfe16b2a11719aef76f3e24c7e04 *Kopie von usb_d.exe (original) The sums were created with fsum 2.5
Please post full details when you analyze this file, I will be very interested to know how you do it properly.
The program has a menu: POPUP "&File" { MENUITEM "E&xit", 105 } POPUP "&Help" { MENUITEM "&About ...", 104 } The About-dialog has four controls: CONTROL 107, 2, STATIC, SS_ICON | WS_CHILD | WS_VISIBLE, 14, 9, 16, 16 CONTROL "__ Version 1.0", -1, STATIC, SS_LEFT | SS_NOPREFIX | WS_CHILD | WS_VISIBLE | WS_GROUP, 49, 10, 119, 8 CONTROL "Copyright (C) 2003", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 49, 20, 119, 8 CONTROL "OK", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_GROUP | WS_TABSTOP, 195, 6, 30, 11 String-Table: 103, "__" 106, "Hello World!" 109, "__" After offset 0xB030 comes some socket status messages (like "Error creating server socket", "Error creating socket"), an HTTP-request-header to domain cjdra.com. It self puts a link to its location in Software\Microsoft\Windows\CurrentVersion\Run. For me it seems to be an proxy-server or something which gets its commands from cjdra.com to perform a sort of DDos or something. XMas-Greets from Germany, Michael _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Sears Scam Trojan Code segfault (Dec 25)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)
- Re: Sears Scam Trojan Code Paul Tinsley (Dec 25)
- Re: Sears Scam Trojan Code Michael Bemmerl (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 27)
- Re: Sears Scam Trojan Code Nick FitzGerald (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 26)
- <Possible follow-ups>
- Re: Sears Scam Trojan Code Feher Tamas (Dec 26)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)