Full Disclosure mailing list archives
RE: New virus?
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 27 Sep 2004 15:27:43 -0500
Has anyone been able to grab the files from the BR domain server? Are they using the JPEG hole..just it is just a pishing type thing? -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of the rxmr Sent: Monday, September 27, 2004 2:14 PM To: Bernardo Santos Wernesback Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] New virus? ----- Original Message ----- From: Bernardo Santos Wernesback <bernardo () ish com br> Date: Mon, 27 Sep 2004 14:44:58 -0300 Subject: [Full-disclosure] New virus? To: full-disclosure () lists netsys com Hi everyone, Has anyone seen a lot of HTTP activity to a certain site: http://www.fotosgratis.pop.com.br ? One of our clients has several machines making tons of requests for TXT files on that server: botao.txt mswinsck.txt ita01.txt caixa01.txt teclado07.txt caixa01.txt caixa02.txt caixa03.txt caixa04.txt caixa05.txt Thanks for any info., _____________________________________________________ Bernardo Santos Wernesback ESSE,ESS,SCSE,CCNA/DA, CCSA,CQS,MCP Consultant / ISH Tecnologia Phone: +55-27-3334-8900 Mobile: +55-27-8111-0884 Email: bernardo () ish com br PGP Fingerprint: 6A42 3701 70D7 FD0F 5FA9 D232 CDD4 6189 EF43 95F5 This should answer your quetions. It is a trojan - TROJ_BANCOS.BW or a variant. http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V name=TROJ_BANCOS.BW
From the page:
" Description: This Trojan attempts to download the following image files in the folder %Windows%\inf: * botao.bmp * caixa01.jpg * caixa02.jpg * caixa04.jpg * caixa05.jpg * ita01.jpg * teclado_05.jpg * teclado_07.jpg * teclado_gere03.jpg * teclado_gere04.jpg * teclado_gere05.jpg * teclado_gere06.jpg " _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New virus? Bernardo Santos Wernesback (Sep 27)
- Re: New virus? Harlan Carvey (Sep 27)
- Re: New virus? Exibar (Sep 27)
- Re: New virus? the rxmr (Sep 27)
- Re: New virus? the rxmr (Sep 27)
- Re: New virus? Adam Jacob Muller (Sep 27)
- Re: New virus? Vince is a dickhead (Sep 27)
- <Possible follow-ups>
- RE: New virus? Todd Towles (Sep 27)
- RE: New virus? Todd Towles (Sep 27)
- Re: New virus? Harlan Carvey (Sep 27)