Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

New Virus / Trojan ?

From: Vincent Jaussaud <Vincent.Jaussaud () kelkoo net>
Date: Mon, 26 Jul 2004 18:08:48 +0200
Hi there;

We just saw a malicious program coming into our network.

As usual, it uses it's own SMTP engine to send itself.

None of our anti-virus knows about it (NAV, ClamScan, File::Scan), and
since it's a zip file, it isn't blocked by our mail system.

The zip file contains one file, named (without quotes):

"britney.jpg\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\ \ \ \ \ \ \ \ \ \ \ \ .scr"

The zip file is 33650 bytes; while the scr file is 32768 bytes.

A strings dump of the scr file gives:

VWhd0@
T$dU
jyh^V$
+ QR
`"a;l
E:HUP
VV4t
JRUND
LL32.EXE %s,_mainRD
DllRegisterS
CLSID\{
2716A60E-3B39-11D8-81AB-455wy
35401}
7 mut1
b\%c
c*.Se
&';7
)ig?O
^{t1
OZ<r
\son
r#E5
47q<o
J#b|
?`(.
KwDr
\0}7(
 qdk
0$"=
C%nWl
*tyrA
HCzi
th|A[
dx71
v&r|
%eL&k
^?$f
zVPt
{oix+
a68p
+LGCr
t'pz
f/Z0
]1Yj_p
09<'
-[L(,*
&pe6
Rl      N
S:#Z5
LAD+X
^#n:
u[      .wV
1       -w
,:vi
@5}[
6qz7kM
anhc{]
^~>^;
uTWb
w*ax
pQgd
u(@;;
w60G
k1:a
.'1vf
a+Y30
#&Nv
tS8(
.86
4-;;=
nB^~
:q;q
F"1i
t-wB
7wq9
QrBv
/m}+H
ow83`
I_dTp"~
f|s]
&\,9
+)2222('&%vK

A+-

0k>j
6uRg_
%       'p
ydpe
+YErY
'@g9E
rJn@
&S%q
\raN
_F"7r
7kp(FF
D!\S
*f*~
R,B?6O
=^$cO
KC*NA
{55`
^dSZ
.\XJ
s-eB7
\j+
on      S
a=]|
<.Vk
1v/U/
Ouzm{
`oD6
m[w+!
Zh?l
9a-CSq
2J18
b_ if
yzk}
j=Jx
o,a-
Z*iga
Ulc@
e7)N
B)=3
+F8X'
\'Ix
faV7
D.Gwsf
rO\N
4SgP
P`dS
KHFt
<e"lK
6,a@
Xf3P
2t0>
w'|=
Xj=Q
-j-j
J/5R
b/3
G4kN
d20.5Bl
7,.y
=6p
uV[,z
[)h@\
Y+rc
V8B!
9xZ,
*[a(
]%#
(/,[
vyyg
;'A(
\o[!=
Z3Q#'
p'U#')3G
_:U;
n=;'
zsC}
BhZ6
=+D-(
-~n,y
Vwzr
&u5,
P&JC
]naW
h)j8
h3DCaFV`
s,[#
7*GP
$!i#
ZP-W,^_
m)\A
 DXy
k}l1

4QC

'=4@
7{P0
o'pP3x
n[}
R-#-
!|Az
qBm6
27|8
8<b)ga
P(g"
:WWh/
mx=0
w0E$

;P2

        ;h>
M<)o
/KV`
^iHv
'a.F
36WZ
;7/+'
o       ,u
N+xs
!5%S
tdY1
E`lR+E
?&J[<%?
sokg
q]Ml
oa#[
w&-h
8z,|
)6D$
fjE0
ZBGaG
vzN_
(j'a;.[
g/OKW(8
IL@e
l.^;='
0/Jta&
dq-m
+-,y
QCV:aD!
BBu=E5
_s_A
%xqVo
lk']
6l_7
+Kl-
`[TOG
?7/&
S[go4M
#+3?
=k>S
\yd7k
<n!5
#76R
;H3
s)BG
Z63zt
P@T}
bws)
j3c(
^+      K_
KGo5
lYOg
{gOw
_w7l
7{/6CK[O
,;w'o
+,=/
(?[4M
)+Gg
tC*+
Gcug
VX`K
nU^aJ
fXX`
        y_7_
[}wO
_6Sp
CloseHandle;
/WriteFi
Crea
GetModul
Nam~
WiAowsDi6ctory
LoadLibra
Free
0ProcAdd
Pntt
Tick
SCurP
MIxAm
werB
ofA PEL
B`.rd
X.&'
Osrc
wwwwwwwwwwpp
KERNEL32.DLL
ADVAPI32.dll
USER32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
wsprintfA

If any of you already faced this one, please share any comments / idea
you may have.

We'll try to submit this to Symantec Virus analysists.

If you need further infos, please let me know.

Thanks in advance !
Best Regards,

-- 
#################################################################
                Kelkoo Security Manager / Networks & Systems Architect 
  JID: portsentry () ims kelkoo net / GPG key 1024D/3BFE3FC7 2002-02-07
                 Office: +(33)04 7629 7163 / Mobile: +(33)06 806 409 62 
#################################################################
"Those who desire to give up freedom in order to gain security will not
have, nor do they deserve, either one."
    -- President Thomas Jefferson.    1743-1826

Attachment: signature.asc
Description: This is a digitally signed message part

Previous By Date Next
Previous By Thread Next

Current thread: