Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Backdoor not recognized by Kaspersky

From: "Oliver Schneider" <Borbarad () gmxpro net>
Date: Wed, 3 Mar 2004 12:34:07 +0100 (MET)
I agree that it might be Bagle.J, but F-Risk claims it's:

"The unpacked file's size is over 49 kilobytes."

For me it was:

yfivyjmg.exe was UPXed and has:
            MD5:  b2e0559c9c3cea7bb7c37daec64e0f88
            Size: 12288 Bytes
yfivyjmg.exe unpacked has:
            MD5:  58f05e9519b3bd825fd6af936f4b2aed
            Size: 22016 Bytes

The EXE itself does the following:
---------------------------------------------------------------------
- Initializes COM
- Then it writes itself into the Run-Key in registry
  using different names
...
...
...
- The following text describes something about the intentions:
db '############################################################'
db '##################',0Dh,0Ah
db 'Hey, NetSky, fuck off you bitch, don',27h,'t ruine our bussi'
db 'ness, wanna start a war?',0Dh,0Ah
db 0Dh,0Ah,0
db    0 ;
      
It's all about spam sent via trojan-proxies, as uncovered by the
German computer magazine c't recently. -> http://www.heise.de/ct/

The "virus" obviously has backdoor capabilities. It has its own SMTP
engine several strings which may appear in the mails sent (social
engineering part) and the ZIP was password protected just because of
the social engineering!
Also it searches for "shar" in folder names and copies itself there
under the following names:

'Microsoft Office 2003 Crack, Working!.exe',0
'Microsoft Office XP working Crack, Keygen.exe',0
'Microsoft Windows XP, WinXP Crack, working Keygen.exe',0
'Porno Screensaver.scr',0
'Porno, sex, oral, anal cool, awesome!!.exe',0
'Porno pics arhive, xxx.exe',0
'Serials.txt.exe',0
'Windown Longhorn Beta Leak.exe',0
'Windows Sourcecode update.doc.exe',0
'XXX hardcore images.exe',0
'Opera 8 New!.exe',0
'WinAmp 5 Pro Keygen Crack Update.exe',0
'WinAmp 6 New!.exe',0
'Matrix 3 Revolution English Subtitles.exe',0
'Adobe Photoshop 9 full.exe',0
'Ahead Nero 7.exe',0
'ACDSee 9.exe',0

All these string and the message string for the faked emails look much
like the Bagle.J description from F-Risk. Maybe they stripped something
from it. I just skimmed the description, didn't really read it ;)

Well, that's probably a brand-new worm ;) -> Bagle.K?

Oliver

-- 
---------------------------------------------------
May the source be with you, stranger ;)

Contacts / Kontakte
eMail: Assarbad () gmx net|info|de|com
ICQ UIN #281645
http://assarbad.org & http://assarbad.net & http://assarbad.info

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: