Full Disclosure mailing list archives

Re: Virus / Trojan

From: Axel Pettinger <api () epost de>
Date: Fri, 09 Jan 2004 20:38:09 +0100

"Otero, Hernan (EDS)" wrote:


Today found this suspicious file attached to an email, obviously is a virus
(our AV don´t detect it :-( ). The virus/trojan is very simple, the
developer only put effort in obfuscate the strings inside the binary.

The executable file try to connect to gamemaniacs.org and download a file.
This file will be located in the system directory

The url used in the GET is:

gamemaniacs.org /download/get.php?dist=2

This will download the binary saved as msvchost.exe

any one know what virus/trojan is this?


Descriptions of the (downloader) trojan:

http://vil.nai.com/vil/content/v_100945.htm
http://www.Europe.F-Secure.com/v-descs/xombe.shtml
http://www.sophos.com/virusinfo/analyses/trojdloaderl.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_XOMBE.A
http://www.sarc.com/avcenter/venc/data/trojan.xombe.html
http://www3.ca.com/virusinfo/virus.aspx?ID=37965

Regards,
Axel Pettinger

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Virus / Trojan Otero, Hernan (EDS) (Jan 09)
- Re: Virus / Trojan Exibar (Jan 09)
  - Re[2]: Virus / Trojan Papp Geza (Jan 09)
- Re: Virus / Trojan Axel Pettinger (Jan 09)
- Re: Virus / Trojan William Warren (Jan 09)
- Re: Virus / Trojan Nick FitzGerald (Jan 09)
- <Possible follow-ups>
- RE: Virus / Trojan Nicolas CARTRON (Jan 09)
- RE: Virus / Trojan John LaCour (Jan 09)
- Re: Virus / Trojan PhilZ (Jan 15)
  - Re: Virus / Trojan Koito Triabva (Jan 15)