Security Incidents mailing list archives
Re: ABoxInstall
From: Matthew Cerha <matthew.cerha () gmail com>
Date: Thu, 11 Nov 2004 11:11:39 -0600
I ran the ABoxInst_int2.exe binary through www.virustotal.com. Kaspersky reports it as TrojanDownloader.Win32.VB.fi On Wed, 10 Nov 2004 09:03:12 +0000, Carlos Kramer <csk_1975 () hotmail com> wrote:
Hi, Don't know if this is the correct forum for this. One of my users got some malicious code which downloaded an FTP server and trojan and registered itself with a Phillippines site this code wasn't detected by Nortons. The exploit site is here:- http://207.234.185.217/send_car_int.asp it downloads this:- http://207.234.185.217/ABoxInst_int2.exe which then uses ftp to connect to 209.58.80.244 with the username/password anonymous/qnelpdc to download these files:- Abox.exe, ABox.bup and logon.exe. These files are executed and the machine registers itself at:- http://209.58.80.244/new_install.asp?... The executable also has a Thawte certificate which seems to be signed for www.voicekampala.com (uganda?). I thought this might be of interest to someone as the only reference I could find to it was a "Hijack This" log posted to a German site. It seems to be some sort of porn dialler which hides itself in a trojaned logon.exe. Cheers. _________________________________________________________________ Check out Election 2004 for up-to-date election news, plus voter tools and more! http://special.msn.com/msn/election2004.armx
Current thread:
- ABoxInstall Carlos Kramer (Nov 10)
- Re: ABoxInstall Matthew Cerha (Nov 14)