Security Incidents mailing list archives
Re: price.doc.exe
From: barry.net () NTLWORLD COM (barry.net)
Date: Mon, 22 May 2000 11:41:43 +0100
Sent the file to CAI (http://www.antivirus.cai.com) and they come back: Thank you for your E-mail and attached file, Price.doc.exe was infected with Win32.PSW.Gip.112 trojan which will be detected by IPE Viris Signature Update 360 due to be posted to our website shortly. A Trojan is a malicious program that masquerades as a legitimate program. You should delete any file that IPE reports as a Trojan. If the file is "in use" by the system, you will have to reboot the computer with a "clean" bootable system disk and then delete the file from DOS. A Trojan may look like it is a system file or a patch or even a game but when activated, it runs some other malicious activity. InoculateIT Personal Edition 5.1, will automatically delete Trojans when they are detected if they are not "in use" by the system. Thank you for sending us the file for checking. Regards, Steve Trusler Systems Engineer InoculateIT Personal Edition Support Team Computer Associates Pty Ltd Regards, Philip Barry ----- Original Message ----- From: <illu5i0n () HUSHMAIL COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, May 19, 2000 11:43 PM Subject: price.doc.exe
This execuatable sets itself up to run as a service and appears to be a password stealing trojan. It copies itself to the windows directory
(c:\winnt
in my case). That's all I have for now. Illu5i0n At Thu, 18 May 2000 12:20:34 +0200, "Volker Werth [VWSoft]"
<VWerth () VWSOFT COM>
wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks! Well, I know this might be something for an antivirus vendor but I thought it's of interest for the incidents list..... I received a mass email message from unknown (to me) source which had a file attached to it. The MUA (Eudora in my case) showed this to be a .DOC file but in truth this figured out to be an executable file. The guys did really a good job to "hide" the real file extension. They used the following filename (paste from original mail): price.doc%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 %20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20% 0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2 %20%20%20%20%20%20%20%20%20%20%20.exe which results in displaying a filename "price.doc" and lots of spaces so neither the email client nor the Win explorer shows the correct filename (explorer correctly shows the file type as executable). A joe average user would identify this to be a Word document file (....and just click on it like he does everytime as we've seen from Melissa & Co.). For everyone who wants to take a look at the EXE file, I've attached a ZIP file (password is "price" without quotes). Attention: I did NO investigation on that EXE file - so I don't know if this file will be safe to execute or contains any dangerous code! DO NOT EXECUTE THE FILE CONTAINED IN THE ZIP! Maybe someone is able and has the time to investigate the file by disassembling it. Cheers, Volker -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOSO14LdVlYEAznqjEQLYLgCfXV67/l1INMUPHsuAMuXxE2b56swAnRNr piGDGegcdJmsXMmwtja5qTBE =XTzk -----END PGP SIGNATURE-----IMPORTANT NOTICE: If you are not using HushMail, this message could have
been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
Current thread:
- Unidentified Trojan? Richard Ginski (May 18)
- Unidentified Trojan? -- Hope this helps James Wilson (May 19)
- price.doc.exe illu5i0n () HUSHMAIL COM (May 19)
- Re: price.doc.exe barry.net (May 22)
- Portscan X.Y.Z.100 - X.Y.Z.254, various ports Jens Hektor (May 20)
- Two scans (Klogin and a trojan?) Jose Nazario (May 21)
- Know Your Enemy: A Forensics Analysis Lance Spitzner (May 21)
- <Possible follow-ups>
- Re: Unidentified Trojan? Elliot Perrin (May 18)
- Re: Unidentified Trojan? Bill Royds (May 18)
- Unidentified Trojan? Richard Ginski (May 19)