Re: ABoxInstall

[Matthew Cerha <matthew.cerha () gmail com>]

I ran the ABoxInst_int2.exe binary through www.virustotal.com.
Kaspersky reports it as

TrojanDownloader.Win32.VB.fi

On Wed, 10 Nov 2004 09:03:12 +0000, Carlos Kramer <csk_1975 () hotmail com> wrote:
> Hi,
>
> Don't know if this is the correct forum for this. One of my
> users got some malicious code which downloaded an FTP
> server and trojan and registered itself with a Phillippines site
> this code wasn't detected by Nortons.
>
> The exploit site is here:-
>
> http://207.234.185.217/send_car_int.asp
>
> it downloads this:-
>
> http://207.234.185.217/ABoxInst_int2.exe
>
> which then uses ftp to connect to 209.58.80.244 with the
> username/password anonymous/qnelpdc to download these
> files:- Abox.exe, ABox.bup and logon.exe.
>
> These files are executed and the machine registers itself at:-
>
> http://209.58.80.244/new_install.asp?...
>
> The executable also has a Thawte certificate which seems
> to be signed for www.voicekampala.com (uganda?).
>
> I thought this might be of interest to someone as the only
> reference I could find to it was a "Hijack This" log posted to
> a German site.
>
> It seems to be some sort of porn dialler which hides itself in
> a trojaned logon.exe.
>
> Cheers.
>
> _________________________________________________________________
> Check out Election 2004 for up-to-date election news, plus voter tools and
> more! http://special.msn.com/msn/election2004.armx