Full Disclosure mailing list archives
RE: http://federalpolice.com:article872@1075686747
From: "Remko Lodder" <remko () elvandar org>
Date: Mon, 16 Feb 2004 01:14:27 +0100
Hi, Just wanted to reply on this my Mailscanner reported this: Our content checker found virus: TrojanSpy.Agent.D in an email to you from: stating this from the message Nicola send. I think that could give some more info. Anyways. My AV scanner is ClamAV. Cheers. -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG -----Oorspronkelijk bericht----- Van: full-disclosure-bounces () lists elvandar org [mailto:full-disclosure-bounces () lists elvandar org]Namens Erik van Straten Verzonden: zondag 15 februari 2004 23:40 Aan: Nicola Fankhauser CC: full-disclosure () lists netsys com Onderwerp: Re: [Full-Disclosure] http://federalpolice.com:article872@1075686747 Hi Nicola, It's not a zip file, not an applet, but a plain EXE file. Seems compressed somehow, no time to figure it out now. Dunno why Mozilla runs this (I don't like it). If something showed up in your status bar, you should definitely assume your box was compromised. Take care out there, Erik On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
hi jedi On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:This is equivalent to http://64.29.173.91/ok, and the html of the index page is as following: <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff> <h2>SERVER ERROR 550</h2> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1
HEIGHT=1></applet></body></html>
now, the "SERVER ERROR 550" is clearly a fake - the java applet below just starts fine. strangely, the 'javautil.zip' is not a valid zip-file, yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :) happily start the applet without any hickups or exceptions and mozilla states 'Applet BlackBox started' in the status bar. is there anybody knowledgable interested in un-zipping, de-compiling and analysing this surely malicious applet? I would like to know what mozilla just executed on my behalf there... :( FYI, the file 'javautil.zip' attached is directly taken from the site mentioned above. regards nicola
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-disclosure mailing list Full-disclosure () lists elvandar org http://lists.elvandar.org/mailman/listinfo/full-disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 15)
- RE: Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- <Possible follow-ups>
- RE: http://federalpolice.com:article872@1075686747 Remko Lodder (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 first last (Feb 15)
- RE:http://federalpolice.com:article872@1075686747 Tom Koehler (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 madsaxon (Feb 16)
- RE: Re: http://federalpolice.com:article872@1075686747 Nick Jacobsen (Feb 16)