Security Incidents mailing list archives
SV: Strange servicepack.exe file (not service.exe) found.
From: "Peter Kruse" <kruse () krusesecurity dk>
Date: Wed, 17 Dec 2003 01:07:28 +0100
Hi Chip, Just took a quick look at the sample and it seems to be a new variant of "Istbar". A family of backdoors that downloads several applications (porndialers and stuff like that). The code is written in Microsoft Visual C++ and packed with UPX. When executed, the malware will drop copies of itself on the local harddisk and modify registry in order to restart after reboot: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<Random Entry>="C:\Program Files\<Random Folder>\<malware.exe> Next it will contact several websites from where it will download other components: http://cnt.rapidblaster.com/(**)run? http://devcnt.rapidblaster.com/(***)run? http://cnt.rapidblaster.com/(***).run A search on google will bring up several hits for other variants of Istbar. Kind regards Peter Kruse http://www.krusesecurity.dk
-----Oprindelig meddelelse----- Fra: Chip Mefford [mailto:cmefford () avwashington com] Sendt: 16. december 2003 19:29 Til: incidents () securityfocus com Emne: Strange servicepack.exe file (not service.exe) found. Running in the task manager on a windows 98 box on our lan. The machine was misbehaving badly yesterday morning. IE 5.5 was broken, will not browse anything, even a local file. Mozilla 1.5 works fine. The machine has been flattened and is being reloaded with Win2K. This machine was screwed down as tight as we could make it and still have it be useful. It was used by staff that had no dedicated workstations to access our webmail and such things. I know nothing about reverse engineering binary executables. Strings output showed some concerning lines. I've posted the file "servicepack.exe" in zipped and tarred formats both at this url.
http://www.eruditium.org/cmefford/securityfocus/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange servicepack.exe file (not service.exe) found. Chip Mefford (Dec 16)
- RE: Strange servicepack.exe file (not service.exe) found. Bojan Zdrnja (Dec 17)
- SV: Strange servicepack.exe file (not service.exe) found. Peter Kruse (Dec 17)
- Re: Strange servicepack.exe file (not service.exe) found. Eric Chien (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Rob Shein (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. David Gillett (Dec 18)
- Re: Strange servicepack.exe file (not service.exe) found. Doug Foster (Dec 19)