Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Backdoor not recognized by Kaspersky

From: <Jyri.Tamminen () tietoenator com>
Date: Wed, 3 Mar 2004 12:46:19 +0200
Hello

Looks like W32.Bagle.J worm.
More information:
http://www.f-secure.com/v-descs/bagle_j.shtml


Br
Jyri

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Kristian
Hermansen
Sent: 3. maaliskuuta 2004 0:34
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Backdoor not recognized by Kaspersky


Attached backdoor not recognized by Kaspersky or Norton 2004?  I
received this file recently, but Kaspersky did not detect malicious
code.  Wondering if any of you guys know about it or have analyzed it
before?  It is definitely NOT a text document.  I opened it up with
WinHex and see the file "yfivyjmg.exe" in there towards the beginning.
Looks to be a packed exe within, and first few bytes are:

504B03040A0001000000C07E62309FE242510C300000003000000C00000079666976796A
6D67
2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE712E68000
E55E
E8A39241

Last few bytes are:

E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EAE0D2BA2
A6EF
88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309FE24251
0C30
0000003000000C000000000000000100200000000000000079666976796A6D672E657865
504B
050600000000010001003A000000363000000000

I am reluctant to open the zip right now, as I fear it may be exploiting
an overflow to run the EXE file within.  I may try to open it on a
virtual machine later, but if you guys do know anything about this one
please let me know.  It's nice and small too (12 KB)!  Wonder if the guy
wrote it himself. Of course, the IP address is spoofed to a University
of Chicago machine.  Is it even possible to trace back?  I still have
the full headers, but they looked nicely stripped to the gills.  I have
been receiving elevated attacks via email over the last few days, so
maybe it is some guy on this list trying to get me ;-)  One previous
email stated that it was the FBI and to call a number listed in the
email.  This was most likely an attempt to get the number I was calling
from.  This guy thinks he's smooth...


Kristian Hermansen
khermansen () ht-technology com

-----Original Message-----
From: management () zerotoys com [mailto:management@{blankedout}.com] 
Sent: Tuesday, March 02, 2004 5:03 PM
To: webmaster@{blankedout}.com
Subject: E-mail account security warning.

Dear user of  {blankedout}.com  gateway e-mail server,

Your  e-mail account has been temporary disabled because of unauthorized
access.

For details see the attached file.

For security  purposes  the  attached file  is password protected.
Password is "65316".

Best  wishes,
    The {blankedout}.com  team                               http://www.
{blankedout}..com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: