Full Disclosure mailing list archives
RE: Re: http://federalpolice.com:article872@1075686747
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Mon, 16 Feb 2004 09:22:51 +0530
this is a keylogger that will mail out your intresting logs to some russian address! so beware of this one, but what i couldent understand is how is this file executed ? -aditya
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of n.teusink () planet nl Sent: Sunday, February 15, 2004 11:40 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Re: http://federalpolice.com:article872@1075686747 From the source of that page: APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1 BlackBox.class is detected immediately by my virusscanner as ClassLoader/E, more info: http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm The javautil.zip appears to be an exe file renamed to zip. The exe is compressed with FSG. Interresting pieces of output from strings on the decompressed exe: ----------------------------------------------BEGIN HookerDll.Dll Install Uninstall EDIT %s\%s WVS3 \kgn.txt Hooker.dll Install Uninstall Westpac bendigo Bendigo e-bendigo e-Bendigo commbank Commonwealth NetBank Citibank Bank of America e-gold e-bullion e-Bullion evocash EVOCash EVOcash intgold INTGold paypal PayPal bankwest Bank West BankWest National Internet Banking cibc CIBC scotiabank ScotiaBank Scotia Bank bank of montreal Bank of Montreal royalbank Royal Bank RoyalBank tdwaterhouse TD Canada Trust TD Waterhouse president's choice President's Choice President Choice suncorpmetway Suncorp macquarie Macquarie INTgold 1mdc 1MDC TD Waterhouse goldmoney GoldMoney goldgrams pecunix Pecunix Pecun!x hyperwallet HyperWallet Wells Fargo Bank One Banesto CAIXA SunTrust Sun Trust Discover Card Washington Mutual Wachovia desjardins Chase 0+060F0 1$11161J1U1i1 2.2I2\2 3'3,3E3c3h3r3 4%42484>4D4J4P4V4\4b4h4n4t4z4 DATA EHLO localhost Subject: KeyLog from (%s) MAIL FROM:<pentasatan () mail ru> RCPT TO:<pentasatan () mail ru> SOFTWARE\Microsoft\Windows\CurrentVersion\Run open pstorec.dll PStoreCreateInstance internet explorer http:// wininetcachecredentials Cookie: ----------------------------------------------END I think you can draw your own conclusions about this file. Niels _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 15)
- RE: Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- <Possible follow-ups>
- RE: http://federalpolice.com:article872@1075686747 Remko Lodder (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 first last (Feb 15)
- RE:http://federalpolice.com:article872@1075686747 Tom Koehler (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 madsaxon (Feb 16)
- RE: Re: http://federalpolice.com:article872@1075686747 Nick Jacobsen (Feb 16)