Full Disclosure mailing list archives
Re: What is this
From: Ron <iago () valhallalegends com>
Date: Mon, 08 Aug 2005 14:06:00 -0500
I've seen something very similar spreading as an IM worm. There's a pretty good chance he got it from AIM or MSN. Of course, it could also be a classic email worm, who knows? Michael Hale wrote:
Anti virus doesn't detect it because its packed with ASProtect 1.2.x (using StudPE). You can see the difference when it's dumped out of RAM into it's uncompressed/decrypted form (see VirusTotal results below). My interest is where you came across this URL. Can you provide that information? Scan results File: DUMPED.php Date: 08/08/2005 20:39:56 (CET) ---- AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] Avast 4.6.695.0/20050808 found nothing AVG 718/20050807 found nothing Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] BitDefender 7.0/20050808 found nothing CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan] ClamAV devel-20050725/20050808 found [Trojan.Mybot-312] DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118] eTrust-Iris 7.1.194.0/20050806 found nothing eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot] Fortinet 2.36.0.0/20050808 found [suspicious] F-Prot 3.16c/20050808 found nothing Ikarus 0.2.59.0/20050808 found nothing Kaspersky 4.0.2.24/20050808 found nothing McAfee 4552/20050808 found [New Malware.b] NOD32v2 1.1187/20050805 found [BAT/NoShare.L] Norman 5.70.10/20050805 found nothing Panda 8.02.00/20050808 found nothing Sophos 3.96.0/20050808 found nothing Sybari 7.5.1314/20050808 found [Win32.Slinbot] Symantec 8.0/20050808 found [W32.Randex] TheHacker 5.8.2.082/20050808 found nothing VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2] On 8/8/05, trains () doctorunix com <trains () doctorunix com> wrote:Quoting Armando Rogerio Brandão Guimaraes Junior <arjunior () attps com br>:Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php AntiVirus and SpyBot doesn´t detect!!! Armando Guimarães JrIt is an MS-EXE executable program. Anti virus doesn't find it because it is not an virus. Spybot for the same reason. To block these you need an smtp policy that does not allow executable attachments to incoming emails. "What it does" could be anything from typing "hello world" in a dialog box (unlikely) to creating a new Administrator account on your corporate AD server and posting the entire contents thereof to an IRC channel (somewhat more likely). But at first glance it looks like it is going to open a backdoor shell on the recipient's PC. tc ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- What is this Armando Rogerio Brandão Guimaraes Junior (Aug 08)
- Re: What is this trains (Aug 08)
- Re: What is this Michael Hale (Aug 08)
- Re: What is this Ron (Aug 08)
- RE: What is this Peter Kruse (Aug 08)
- Re: What is this Michael Hale (Aug 08)
- Re: What is this Jeremy (Aug 08)
- RE: What is this Aditya Deshmukh (Aug 08)
- <Possible follow-ups>
- RE: What is this Armando Rogerio Brandão Guimaraes Junior (Aug 08)
- Re: What is this Feher Tamas (Aug 09)
- Re: What is this trains (Aug 08)