Full Disclosure mailing list archives
RE: Backdoor not recognized by Kaspersky
From: "Oliver Schneider" <Borbarad () gmxpro net>
Date: Wed, 3 Mar 2004 12:34:07 +0100 (MET)
I agree that it might be Bagle.J, but F-Risk claims it's: "The unpacked file's size is over 49 kilobytes." For me it was: yfivyjmg.exe was UPXed and has: MD5: b2e0559c9c3cea7bb7c37daec64e0f88 Size: 12288 Bytes yfivyjmg.exe unpacked has: MD5: 58f05e9519b3bd825fd6af936f4b2aed Size: 22016 Bytes The EXE itself does the following: --------------------------------------------------------------------- - Initializes COM - Then it writes itself into the Run-Key in registry using different names ... ... ... - The following text describes something about the intentions: db '############################################################' db '##################',0Dh,0Ah db 'Hey, NetSky, fuck off you bitch, don',27h,'t ruine our bussi' db 'ness, wanna start a war?',0Dh,0Ah db 0Dh,0Ah,0 db 0 ; It's all about spam sent via trojan-proxies, as uncovered by the German computer magazine c't recently. -> http://www.heise.de/ct/ The "virus" obviously has backdoor capabilities. It has its own SMTP engine several strings which may appear in the mails sent (social engineering part) and the ZIP was password protected just because of the social engineering! Also it searches for "shar" in folder names and copies itself there under the following names: 'Microsoft Office 2003 Crack, Working!.exe',0 'Microsoft Office XP working Crack, Keygen.exe',0 'Microsoft Windows XP, WinXP Crack, working Keygen.exe',0 'Porno Screensaver.scr',0 'Porno, sex, oral, anal cool, awesome!!.exe',0 'Porno pics arhive, xxx.exe',0 'Serials.txt.exe',0 'Windown Longhorn Beta Leak.exe',0 'Windows Sourcecode update.doc.exe',0 'XXX hardcore images.exe',0 'Opera 8 New!.exe',0 'WinAmp 5 Pro Keygen Crack Update.exe',0 'WinAmp 6 New!.exe',0 'Matrix 3 Revolution English Subtitles.exe',0 'Adobe Photoshop 9 full.exe',0 'Ahead Nero 7.exe',0 'ACDSee 9.exe',0 All these string and the message string for the faked emails look much like the Bagle.J description from F-Risk. Maybe they stripped something from it. I just skimmed the description, didn't really read it ;) Well, that's probably a brand-new worm ;) -> Bagle.K? Oliver -- --------------------------------------------------- May the source be with you, stranger ;) Contacts / Kontakte eMail: Assarbad () gmx net|info|de|com ICQ UIN #281645 http://assarbad.org & http://assarbad.net & http://assarbad.info _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Backdoor not recognized by Kaspersky Kristian Hermansen (Mar 03)
- Re: Backdoor not recognized by Kaspersky Frederik Berger (Mar 03)
- Re: Backdoor not recognized by Kaspersky Jarkko Turkulainen (Mar 03)
- RE: Backdoor not recognized by Kaspersky Mortis (Mar 03)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 03)
- Re: Backdoor not recognized by Kaspersky William Warren (Mar 03)
- Re: Backdoor not recognized by Kaspersky William Warren (Mar 03)
- Re: Backdoor not recognized by Kaspersky Bernardo Quintero (Mar 03)
- RE: Backdoor not recognized by Kaspersky Larry Seltzer (Mar 03)
- RE: Backdoor not recognized by Kaspersky ajrarn (Mar 03)
- RE: Backdoor not recognized by Kaspersky Oliver Schneider (Mar 03)
- RE: Backdoor not recognized by Kaspersky Paul Niranjan (Mar 03)
- Re: Backdoor not recognized by Kaspersky Mary Landesman (Mar 03)
- <Possible follow-ups>
- RE: Backdoor not recognized by Kaspersky Jyri.Tamminen (Mar 03)
- RE: Backdoor not recognized by Kaspersky David Kammering (Mar 03)
- Re: Backdoor not recognized by Kaspersky maarten (Mar 03)
- Re: Backdoor not recognized by Kaspersky Martin Mačok (Mar 03)
- Re: Backdoor not recognized by Kaspersky Nick FitzGerald (Mar 03)
- Re: Backdoor not recognized by Kaspersky Bart . Lansing (Mar 03)
- RE: Backdoor not recognized by Kaspersky Aditya, ALD [Aditya Lalit Deshmukh] (Mar 03)
- Re: Backdoor not recognized by Kaspersky KUIJPERS Jimmy (Mar 04)
- Re: Backdoor not recognized by Kaspersky maarten (Mar 03)