Full Disclosure mailing list archives
Re: Any idea about that?
From: James Woodcock <spamtrap2 () austarnet com au>
Date: Fri, 10 Sep 2004 12:19:53 +1000
Syed Imran Ali wrote: > I received this file through email (Yahoo) nothing was detected from > Yahoo or NAV 2003. According to my understanding this is some kind of > worm or irc-bot. I found this file making connections on port 6667 > 6660 and opening major important ports on the infected PC.The zip file contains a file called sexygirl.exe. It's actually just an HTML document gives a download link for another file called "sexygirl.exe" from www.pcpages.com/imbonga/
On Mozilla 1.7, I still needed to click on the link to start the download, but there is this javascript in there that might do something under the right conditions?
> document write> ("<A HREF='http://banner2.inet-traffic.com/oasisc.php?s=3&w=300&h=60&cb=" + spreeaddatestr + "'>") > document write ("<IMG SRC='http://banner2.inet-traffic.com/oasisi.php?s=3&w=300&h=60&cb=" + spreeaddatestr + "?' WIDTH=468 HEIGHT=60 BORDER=0 ALT='Click Here'></A>")
the spreeaddatestr is clear enough, (a set of time values - For tracking the spread?) but what oasisc.php is doing with those values, who knows?
Anyway, I sent the second sexygirl.exe file off to virustotal and here's the results
Scan results from VirusTotal File: sexygirl2.exe Date: 09/10/2004 03:38:33 ---- BitDefender 7.0/20040909 found [Backdoor.SDBot.Gen] NOD32v2 1.867/20040909 found [prob. unknown NewHeur_PE] Norman 5.70.10/20040909 found [W32/Backdoor] Panda 7.02.00/20040909 found [W32/Gaobot.gen.worm] Sybari 7.5.1314/20040910 found [Win32/IRCBot.Variant] McAfee 4390/20040908 found nothing McAfee 4390/20040908 found nothing Symantec 8.0/20040909 found nothing TrendMicro 7.000/20040908 found nothing ClamWin devel-20040822/20040908 found nothing That's the nasty one. James -- This isn't life in the fast lane, this is life in the oncoming traffic! ...Terry Pratchett _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Any idea about that? Syed Imran Ali (Sep 09)
- Re: Any idea about that? James Woodcock (Sep 09)
- Re: Any idea about that? Harlan Carvey (Sep 10)
- Re: Any idea about that? James Woodcock (Sep 10)
- <Possible follow-ups>
- Re: Any idea about that? Feher Tamas (Sep 10)