Full Disclosure mailing list archives
RE: Backdoor not recognized by Kaspersky
From: "Full-Disclosure" <fd () weevers net>
Date: Wed, 3 Mar 2004 11:51:46 +0100
Kristian, This is the bagle.j virus: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.j@mm. html -----Oorspronkelijk bericht----- Van: Kristian Hermansen [mailto:khermansen () ht-technology com] Gepost om: Tuesday, March 02, 2004 11:34 PM Gepost naar: Full-Disclosure Discussie: [Full-Disclosure] Backdoor not recognized by Kaspersky Onderwerp: [Full-Disclosure] Backdoor not recognized by Kaspersky Attached backdoor not recognized by Kaspersky or Norton 2004? I received this file recently, but Kaspersky did not detect malicious code. Wondering if any of you guys know about it or have analyzed it before? It is definitely NOT a text document. I opened it up with WinHex and see the file "yfivyjmg.exe" in there towards the beginning. Looks to be a packed exe within, and first few bytes are: 504B03040A0001000000C07E62309FE242510C300000003000000C00000079666976796A 6D67 2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE712E68000 E55E E8A39241 Last few bytes are: E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EAE0D2BA2 A6EF 88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309FE24251 0C30 0000003000000C000000000000000100200000000000000079666976796A6D672E657865 504B 050600000000010001003A000000363000000000 I am reluctant to open the zip right now, as I fear it may be exploiting an overflow to run the EXE file within. I may try to open it on a virtual machine later, but if you guys do know anything about this one please let me know. It's nice and small too (12 KB)! Wonder if the guy wrote it himself. Of course, the IP address is spoofed to a University of Chicago machine. Is it even possible to trace back? I still have the full headers, but they looked nicely stripped to the gills. I have been receiving elevated attacks via email over the last few days, so maybe it is some guy on this list trying to get me ;-) One previous email stated that it was the FBI and to call a number listed in the email. This was most likely an attempt to get the number I was calling from. This guy thinks he's smooth... Kristian Hermansen khermansen () ht-technology com -----Original Message----- From: management () zerotoys com [mailto:management@{blankedout}.com] Sent: Tuesday, March 02, 2004 5:03 PM To: webmaster@{blankedout}.com Subject: E-mail account security warning. Dear user of {blankedout}.com gateway e-mail server, Your e-mail account has been temporary disabled because of unauthorized access. For details see the attached file. For security purposes the attached file is password protected. Password is "65316". Best wishes, The {blankedout}.com team http://www. {blankedout}..com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Backdoor not recognized by Kaspersky, (continued)
- RE: Backdoor not recognized by Kaspersky Paul Niranjan (Mar 03)
- Re: Backdoor not recognized by Kaspersky Mary Landesman (Mar 03)
- RE: Backdoor not recognized by Kaspersky Jyri.Tamminen (Mar 03)
- RE: Backdoor not recognized by Kaspersky David Kammering (Mar 03)
- Re: Backdoor not recognized by Kaspersky maarten (Mar 03)
- Re: Backdoor not recognized by Kaspersky Martin Mačok (Mar 03)
- Re: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- Re: Backdoor not recognized by Kaspersky Bart . Lansing (Mar 03)
- RE: Backdoor not recognized by Kaspersky Aditya, ALD [Aditya Lalit Deshmukh] (Mar 03)
- Re: Backdoor not recognized by Kaspersky KUIJPERS Jimmy (Mar 04)
- Re: Backdoor not recognized by Kaspersky maarten (Mar 03)
- Re: Backdoor not recognized by Kaspersky Gregor Lawatscheck (Mar 03)
- Re: Backdoor not recognized by Kaspersky Cael Abal (Mar 03)
- Re: Backdoor not recognized by Kaspersky Bart . Lansing (Mar 03)
- Re: Backdoor not recognized by Kaspersky Cael Abal (Mar 03)
- Re: Backdoor not recognized by Kaspersky Gregor Lawatscheck (Mar 03)
- Re: Backdoor not recognized by Kaspersky Valdis . Kletnieks (Mar 04)