Full Disclosure mailing list archives

Re: What is this

From: Ron <iago () valhallalegends com>
Date: Mon, 08 Aug 2005 14:06:00 -0500

I've seen something very similar spreading as an IM worm.  There's  a
pretty good chance he got it from AIM or MSN.  Of course, it could also
be a classic email worm, who knows?

Michael Hale wrote:

Anti virus doesn't detect it because its packed with ASProtect 1.2.x
(using StudPE). You can see the difference when it's dumped out of RAM
into it's uncompressed/decrypted form (see VirusTotal results below).
My interest is where you came across this URL. Can you provide that
information?

Scan results
 File: DUMPED.php
 Date: 08/08/2005 20:39:56 (CET)
----
AntiVir 6.31.1.0/20050808       found [BDS/SdBot.Gen.Plus]
Avast   4.6.695.0/20050808      found nothing
AVG     718/20050807    found nothing
Avira   6.31.1.0/20050808       found [BDS/SdBot.Gen.Plus]
BitDefender     7.0/20050808    found nothing
CAT-QuickHeal   7.03/20050808   found [(Suspicious) - DNAScan]
ClamAV  devel-20050725/20050808 found [Trojan.Mybot-312]
DrWeb   4.32b/20050808  found [BackDoor.IRC.Sdbot.118]
eTrust-Iris     7.1.194.0/20050806      found nothing
eTrust-Vet      11.9.1.0/20050808       found [Win32.Slinbot]
Fortinet        2.36.0.0/20050808       found [suspicious]
F-Prot  3.16c/20050808  found nothing
Ikarus  0.2.59.0/20050808       found nothing
Kaspersky       4.0.2.24/20050808       found nothing
McAfee  4552/20050808   found [New Malware.b]
NOD32v2 1.1187/20050805 found [BAT/NoShare.L]
Norman  5.70.10/20050805        found nothing
Panda   8.02.00/20050808        found nothing
Sophos  3.96.0/20050808 found nothing
Sybari  7.5.1314/20050808       found [Win32.Slinbot]
Symantec        8.0/20050808    found [W32.Randex]
TheHacker       5.8.2.082/20050808      found nothing
VBA32   3.10.4/20050808 found [suspected of Backdoor.RxBot.2]

On 8/8/05, trains () doctorunix com <trains () doctorunix com> wrote:

Quoting Armando Rogerio Brandão Guimaraes Junior <arjunior () attps com br>:

Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php
AntiVirus and SpyBot doesn´t detect!!!

Armando Guimarães Jr


It is an MS-EXE executable program.  Anti virus doesn't find it because
it is not an virus.  Spybot for the same reason.  To block these you
need an smtp policy that does not allow executable attachments to
incoming emails.

"What it does" could be anything from typing "hello world" in a dialog
box (unlikely) to creating a new Administrator account on your
corporate AD server and posting the entire contents thereof to an IRC
channel (somewhat more likely).  But at first glance it looks like it
is going to open a backdoor shell on the recipient's PC.

tc



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

What is this Armando Rogerio Brandão Guimaraes Junior (Aug 08)
- Re: What is this trains (Aug 08)
  - Re: What is this Michael Hale (Aug 08)
    - Re: What is this Ron (Aug 08)
  - RE: What is this Peter Kruse (Aug 08)
- Re: What is this Jeremy (Aug 08)
- RE: What is this Aditya Deshmukh (Aug 08)
- <Possible follow-ups>
- RE: What is this Armando Rogerio Brandão Guimaraes Junior (Aug 08)
- Re: What is this Feher Tamas (Aug 09)