Security Incidents mailing list archives
Re: W32.Badtrans.B@mm
From: John Sage <jsage () finchhaven com>
Date: Mon, 26 Nov 2001 14:46:52 -0800
I've received only 3 so far, I saved to disk the (apparent..) executable for all three (I'm on Linux.. :-) and did a diff on all three and they're identical.
strings -n 3 returns a *lot* - and it's like hunting for the needle in the proverbial haystack, but here's an edited version of what it found, FWIW:
!This program cannot be run in DOS mode. Richl .rsrc <snip> ABCDE FGHIJKLMNOPQRST XYZabc defghijklmnopqrstuvwxyz012345678v!: 9+/ hLM ugiv i|` XH_ %u. _H; /`$ , ; NameServ 149.174.211 .5,SYSTEM\CurrentControl t\0ices\Tcpip\ParEt s3ystemVxD\M XCP Dec Oct Aug Jul May Feb aSa'Fri Thu Wed Tueo /Hook v2.4 %s)% 227 >s9;c <snip> Invalid DNS add Answfailu >[[exp [{W "@" p/;KEY_USERS OCAL_MACHINE CURRENT'3 LASSES_ROOT <snip> eTo help psho* DLL Title: Y", mpu - Us %Keylogw Opd ffnG <snip> zzo@ 3"JUDY 1 () AOL COM "R+a L <snip> MP3 ZIPZ DOCf hcWi y_a ._yeYh Me_ 'ETUP YOU_ _FAT <snip> ARE Ac,% Jntd QUIT <snip> o-8859-1N oX-p <snip> <HTML> =3D#f xrc <snip> LThisY @fm yDOS m <snip> 21del}8 Prt}Dwn}Upr leftPgD< hom{V* GgUO alP }esc} <snip> trlb Clr bVNlA# ToA s[b o9oeY Unh) KX{ kGE <snip> cpy< mov^MSVCRT3Y _Xit|D adjuB_fdiv 0N+161C1N1Y1d1o1|1 2*252@2 K2V2a2l2w2 3 3+363A3L3W3b3m3x3 4 4=4_4e4 5?5H5U 5c5l5u5 6$6,6A6F6K6P6Z6c6v6 6U7r7 Last SDuplinQtE&HCle4XD Exit <snip> GIu 0d@ GPG KERNEL32.DLL ADVAPI32.dll MSVCRT.dll USER32.dll WSOCK32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey rand SetTimer hUB wKZ qrh oNX je! www <EOF strings -n 3> Make of it what you can... - John Liudvikas Bukys wrote:
I am dismayed to find that ALL of the anti-virus vendors have decided to limit their "tech details" so much that I can't find a published account of how the keyboard-logging trojan contacts the outside world. It would be helpful to know what hosts or names it connects out to, without having to wait for a "live one" to appear to before I find out. Does anybody here know? Liudvikas Bukys bukys () rochester edu
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- W32.Badtrans.B@mm Liudvikas Bukys (Nov 26)
- Re: W32.Badtrans.B@mm Marc Fossi (Nov 26)
- Message not available
- Re: W32.Badtrans.B@mm Brett Glass (Nov 26)
- Re: W32.Badtrans.B@mm John Sage (Nov 26)