Full Disclosure mailing list archives

RE: New virus?

From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 27 Sep 2004 15:22:43 -0500

Looks like WINKERNEL132.EXE is the dropper file. The server that is
offering those files is pretty tight, but the Apache isn't setup
correctly. You can get any file...including the passwd file. Nessus
reported this, don't have time to find out...just FYI.

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of the rxmr
Sent: Monday, September 27, 2004 2:14 PM
To: Bernardo Santos Wernesback
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] New virus?

----- Original Message -----
From: Bernardo Santos Wernesback <bernardo () ish com br>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-disclosure] New virus?
To: full-disclosure () lists netsys com

Hi everyone, 

Has anyone seen a lot of HTTP activity to a certain site:
http://www.fotosgratis.pop.com.br ?

One of our clients has several machines making tons of requests for TXT
files on that server:

botao.txt
mswinsck.txt
ita01.txt
caixa01.txt
teclado07.txt
caixa01.txt
caixa02.txt
caixa03.txt
caixa04.txt
caixa05.txt 

Thanks for any info., 

_____________________________________________________ 

Bernardo Santos Wernesback 

ESSE,ESS,SCSE,CCNA/DA, 

CCSA,CQS,MCP 

Consultant / ISH Tecnologia  

Phone: +55-27-3334-8900 

Mobile: +55-27-8111-0884 

Email: bernardo () ish com br 

  PGP Fingerprint:
   6A42 3701 70D7 FD0F 5FA9  D232 CDD4 6189 EF43 95F5  

This should answer your quetions.

It is a trojan - TROJ_BANCOS.BW or a variant.

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
name=TROJ_BANCOS.BW

From the page:


"
Description:

This Trojan attempts to download the following image files in the folder
%Windows%\inf:

    * botao.bmp
    * caixa01.jpg
    * caixa02.jpg
    * caixa04.jpg
    * caixa05.jpg
    * ita01.jpg
    * teclado_05.jpg
    * teclado_07.jpg
    * teclado_gere03.jpg
    * teclado_gere04.jpg
    * teclado_gere05.jpg
    * teclado_gere06.jpg
"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

New virus? Bernardo Santos Wernesback (Sep 27)
- Re: New virus? Harlan Carvey (Sep 27)
  - Re: New virus? Exibar (Sep 27)
- Re: New virus? the rxmr (Sep 27)
- Re: New virus? the rxmr (Sep 27)
- Re: New virus? Adam Jacob Muller (Sep 27)
  - Re: New virus? Vince is a dickhead (Sep 27)
- <Possible follow-ups>
- RE: New virus? Todd Towles (Sep 27)
- RE: New virus? Todd Towles (Sep 27)