ABoxInstall

["Carlos Kramer" <csk_1975 () hotmail com>]

Hi,

Don't know if this is the correct forum for this. One of my
users got some malicious code which downloaded an FTP
server and trojan and registered itself with a Phillippines site
this code wasn't detected by Nortons.

The exploit site is here:-

http://207.234.185.217/send_car_int.asp

it downloads this:-

http://207.234.185.217/ABoxInst_int2.exe

which then uses ftp to connect to 209.58.80.244 with the
username/password anonymous/qnelpdc to download these
files:- Abox.exe, ABox.bup and logon.exe.

These files are executed and the machine registers itself at:-

http://209.58.80.244/new_install.asp?...

The executable also has a Thawte certificate which seems
to be signed for www.voicekampala.com (uganda?).

I thought this might be of interest to someone as the only
reference I could find to it was a "Hijack This" log posted to
a German site.

It seems to be some sort of porn dialler which hides itself in
a trojaned logon.exe.

Cheers.

_________________________________________________________________
Check out Election 2004 for up-to-date election news, plus voter tools and 
more! http://special.msn.com/msn/election2004.armx