Full Disclosure mailing list archives
new virus or variant
From: Vic Vandal <vvandal () well com>
Date: Mon, 2 Aug 2004 11:32:34 -0700 (PDT)
There's a new .ZIP attachment that mimics some of the recent ones in arriving as something like your.name () domain zip, extracting to your.name () domain com, which is a Windows command file. I've only just started looking at the payload, and see it does some reg key checks on WOW (looking for itself...no time to type the entire reg string currently, you can find it easily under HKEY_LOCAL_MACHINE by searching anyway), creates some VDM and NTVMD stuff, creates some C code under D:\nt\private\mvdm\softpc.new\host\src\ (several files, one for serial I/O), is doing keystroke logging, and creates a command shell. I think we can all set our virus alarms to ring every Monday now. FYI, Vic _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- new virus or variant Vic Vandal (Aug 02)
- Re: new virus or variant Ron DuFresne (Aug 02)