Full Disclosure mailing list archives

Re: Sears Scam Trojan Code

From: Jarkko Turkulainen <jt () klake org>
Date: Fri, 26 Dec 2003 11:30:51 +0200 (EET)


Some more information:

1) When the program is run, it install itself in registry for startup

2) It binds itself a _random_ listen TCP port and starts a proxy service.
The proxy code seems like a "normal" TCP connection forwarder, but I'm not
100% sure yet.

3) It sends the proxy port periodically, every 30 secs to cjdra.com with
the following url: http://cjdra.com/sd/PORT where PORT is the listening
port encoded as follows: for each port digit, do 46h + (39h - port), for
example: 1234 is NMLK. Probably the server is supposed to build some
database of the port/host information.

4) If the response HTTP page contains an ASCII string "upf:FILENAME"
somewhere, the program tries to fetch a file http://cjdra.com/FILENAME
and run it.



Regards,

--
Jarkko Turkulainen <jt () klake org>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Sears Scam Trojan Code segfault (Dec 25)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)
  - Re: Sears Scam Trojan Code Paul Tinsley (Dec 25)
  - Re: Sears Scam Trojan Code Michael Bemmerl (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 25)
  - Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 27)
- Re: Sears Scam Trojan Code Nick FitzGerald (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 26)
- <Possible follow-ups>
- Re: Sears Scam Trojan Code Feher Tamas (Dec 26)