Full Disclosure mailing list archives
Re: Sears Scam Trojan Code
From: Jarkko Turkulainen <jt () klake org>
Date: Fri, 26 Dec 2003 11:30:51 +0200 (EET)
Some more information: 1) When the program is run, it install itself in registry for startup 2) It binds itself a _random_ listen TCP port and starts a proxy service. The proxy code seems like a "normal" TCP connection forwarder, but I'm not 100% sure yet. 3) It sends the proxy port periodically, every 30 secs to cjdra.com with the following url: http://cjdra.com/sd/PORT where PORT is the listening port encoded as follows: for each port digit, do 46h + (39h - port), for example: 1234 is NMLK. Probably the server is supposed to build some database of the port/host information. 4) If the response HTTP page contains an ASCII string "upf:FILENAME" somewhere, the program tries to fetch a file http://cjdra.com/FILENAME and run it. Regards, -- Jarkko Turkulainen <jt () klake org> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Sears Scam Trojan Code segfault (Dec 25)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)
- Re: Sears Scam Trojan Code Paul Tinsley (Dec 25)
- Re: Sears Scam Trojan Code Michael Bemmerl (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 27)
- Re: Sears Scam Trojan Code Nick FitzGerald (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 26)
- <Possible follow-ups>
- Re: Sears Scam Trojan Code Feher Tamas (Dec 26)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)