Security Incidents mailing list archives
ABoxInstall
From: "Carlos Kramer" <csk_1975 () hotmail com>
Date: Wed, 10 Nov 2004 09:03:12 +0000
Hi, Don't know if this is the correct forum for this. One of my users got some malicious code which downloaded an FTP server and trojan and registered itself with a Phillippines site this code wasn't detected by Nortons. The exploit site is here:- http://207.234.185.217/send_car_int.asp it downloads this:- http://207.234.185.217/ABoxInst_int2.exe which then uses ftp to connect to 209.58.80.244 with the username/password anonymous/qnelpdc to download these files:- Abox.exe, ABox.bup and logon.exe. These files are executed and the machine registers itself at:- http://209.58.80.244/new_install.asp?... The executable also has a Thawte certificate which seems to be signed for www.voicekampala.com (uganda?). I thought this might be of interest to someone as the only reference I could find to it was a "Hijack This" log posted to a German site. It seems to be some sort of porn dialler which hides itself in a trojaned logon.exe. Cheers. _________________________________________________________________Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
Current thread:
- ABoxInstall Carlos Kramer (Nov 10)
- Re: ABoxInstall Matthew Cerha (Nov 14)