Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: W32.Badtrans.B@mm

From: John Sage <jsage () finchhaven com>
Date: Mon, 26 Nov 2001 14:46:52 -0800
I've received only 3 so far, I saved to disk the (apparent..) executable for all three (I'm on Linux.. :-) and did a diff on all three and they're identical.
strings -n 3 returns a *lot* - and it's like hunting for the needle in the proverbial haystack, but here's an edited version of what it found, FWIW: 

!This program cannot be run in DOS mode.
Richl
.rsrc

<snip>

ABCDE
FGHIJKLMNOPQRST
XYZabc
defghijklmnopqrstuvwxyz012345678v!:
9+/
hLM
ugiv
i|`
XH_
%u.
_H;
/`$
, ;
NameServ
149.174.211
.5,SYSTEM\CurrentControl
t\0ices\Tcpip\ParEt
s3ystemVxD\M
XCP
Dec
Oct
Aug
Jul
May
Feb
aSa'Fri
Thu
Wed
Tueo
/Hook
v2.4
%s)%
227
>s9;c

<snip>

Invalid DNS
add
Answfailu
>[[exp
[{W
"@"
p/;KEY_USERS
OCAL_MACHINE
CURRENT'3
LASSES_ROOT

<snip>

eTo
help
psho*
DLL
Title:
Y",
mpu
- Us
%Keylogw
Opd
ffnG

<snip>

zzo@
3"JUDY
1 () AOL COM
"R+a L

<snip>

MP3
ZIPZ
DOCf
hcWi
y_a
._yeYh
Me_
'ETUP
YOU_
_FAT

<snip>

ARE
Ac,%
Jntd
QUIT

<snip>

o-8859-1N
oX-p

<snip>

<HTML>
=3D#f
xrc

<snip>

LThisY
@fm
yDOS m

<snip>

21del}8
Prt}Dwn}Upr
leftPgD<
hom{V*
GgUO
alP
}esc}

<snip>

trlb
Clr
bVNlA#
ToA
s[b
o9oeY
Unh)
KX{
kGE

<snip>

cpy<
mov^MSVCRT3Y
_Xit|D
adjuB_fdiv
0N+161C1N1Y1d1o1|1
2*252@2
K2V2a2l2w2
3 3+363A3L3W3b3m3x3
4 4=4_4e4
5?5H5U
5c5l5u5
6$6,6A6F6K6P6Z6c6v6
6U7r7
Last
SDuplinQtE&HCle4XD
Exit

<snip>

GIu
0d@
GPG
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
rand
SetTimer
hUB
wKZ
qrh
oNX
je!
www



<EOF strings -n 3>

Make of it what you can...


- John


Liudvikas Bukys wrote:


I am dismayed to find that ALL of the anti-virus vendors have decided to
limit their "tech details" so much that I can't find a published account
of how the keyboard-logging trojan contacts the outside world.  It would
be helpful to know what hosts or names it connects out to, without having to
wait for a "live one" to appear to before I find out.

Does anybody here know?

Liudvikas Bukys
bukys () rochester edu






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: