Security Incidents mailing list archives
New Virus / Trojan ?
From: Vincent Jaussaud <Vincent.Jaussaud () kelkoo net>
Date: Mon, 26 Jul 2004 18:08:48 +0200
Hi there; We just saw a malicious program coming into our network. As usual, it uses it's own SMTP engine to send itself. None of our anti-virus knows about it (NAV, ClamScan, File::Scan), and since it's a zip file, it isn't blocked by our mail system. The zip file contains one file, named (without quotes): "britney.jpg\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ .scr" The zip file is 33650 bytes; while the scr file is 32768 bytes. A strings dump of the scr file gives: VWhd0@ T$dU jyh^V$ + QR `"a;l E:HUP VV4t JRUND LL32.EXE %s,_mainRD DllRegisterS CLSID\{ 2716A60E-3B39-11D8-81AB-455wy 35401} 7 mut1 b\%c c*.Se &';7 )ig?O ^{t1 OZ<r \son r#E5 47q<o J#b| ?`(. KwDr \0}7( qdk 0$"= C%nWl *tyrA HCzi th|A[ dx71 v&r| %eL&k ^?$f zVPt {oix+ a68p +LGCr t'pz f/Z0 ]1Yj_p 09<' -[L(,* &pe6 Rl N S:#Z5 LAD+X ^#n: u[ .wV 1 -w ,:vi @5}[ 6qz7kM anhc{] ^~>^; uTWb w*ax pQgd u(@;; w60G k1:a .'1vf a+Y30 #&Nv tS8( .86 4-;;= nB^~ :q;q F"1i t-wB 7wq9 QrBv /m}+H ow83` I_dTp"~ f|s] &\,9 +)2222('&%vK
A+-
0k>j 6uRg_ % 'p ydpe +YErY '@g9E rJn@ &S%q \raN _F"7r 7kp(FF D!\S *f*~ R,B?6O =^$cO KC*NA {55` ^dSZ .\XJ s-eB7 \j+ on S a=]| <.Vk 1v/U/ Ouzm{ `oD6 m[w+! Zh?l 9a-CSq 2J18 b_ if yzk} j=Jx o,a- Z*iga Ulc@ e7)N B)=3 +F8X' \'Ix faV7 D.Gwsf rO\N 4SgP P`dS KHFt <e"lK 6,a@ Xf3P 2t0> w'|= Xj=Q -j-j J/5R b/3 G4kN d20.5Bl 7,.y =6p uV[,z [)h@\ Y+rc V8B! 9xZ, *[a( ]%# (/,[ vyyg ;'A( \o[!= Z3Q#' p'U#')3G _:U; n=;' zsC} BhZ6 =+D-( -~n,y Vwzr &u5, P&JC ]naW h)j8 h3DCaFV` s,[# 7*GP $!i# ZP-W,^_ m)\A DXy k}l1
4QC
'=4@ 7{P0 o'pP3x n[} R-#- !|Az qBm6 27|8 8<b)ga P(g" :WWh/ mx=0 w0E$
;P2
;h> M<)o /KV` ^iHv 'a.F 36WZ ;7/+' o ,u N+xs !5%S tdY1 E`lR+E ?&J[<%? sokg q]Ml oa#[ w&-h 8z,| )6D$ fjE0 ZBGaG vzN_ (j'a;.[ g/OKW(8 IL@e l.^;=' 0/Jta& dq-m +-,y QCV:aD! BBu=E5 _s_A %xqVo lk'] 6l_7 +Kl- `[TOG ?7/& S[go4M #+3? =k>S \yd7k <n!5 #76R ;H3 s)BG Z63zt P@T} bws) j3c( ^+ K_ KGo5 lYOg {gOw _w7l 7{/6CK[O ,;w'o +,=/ (?[4M )+Gg tC*+ Gcug VX`K nU^aJ fXX` y_7_ [}wO _6Sp CloseHandle; /WriteFi Crea GetModul Nam~ WiAowsDi6ctory LoadLibra Free 0ProcAdd Pntt Tick SCurP MIxAm werB ofA PEL B`.rd X.&' Osrc wwwwwwwwwwpp KERNEL32.DLL ADVAPI32.dll USER32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey wsprintfA If any of you already faced this one, please share any comments / idea you may have. We'll try to submit this to Symantec Virus analysists. If you need further infos, please let me know. Thanks in advance ! Best Regards, -- ################################################################# Kelkoo Security Manager / Networks & Systems Architect JID: portsentry () ims kelkoo net / GPG key 1024D/3BFE3FC7 2002-02-07 Office: +(33)04 7629 7163 / Mobile: +(33)06 806 409 62 ################################################################# "Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one." -- President Thomas Jefferson. 1743-1826
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- New Virus / Trojan ? Vincent Jaussaud (Jul 26)
- Re: New Virus / Trojan ? Vincent Jaussaud (Jul 26)
- Re: New Virus / Trojan ? Frank Reppin (Jul 26)
- Re: New Virus / Trojan ? Vincent Jaussaud (Jul 27)
- Re[2]: New Virus / Trojan ? Rafael Núñez (Jul 27)
- RE: New Virus / Trojan ? Byrne Ghavalas (Jul 27)
- <Possible follow-ups>
- Re: New Virus / Trojan ? Travis Howe (Jul 26)
- Re: New Virus / Trojan ? Michael Mucha (Jul 27)