Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

fulldisclosure logo Full Disclosure mailing list archives

RE: [Full-Disclosure] Re: http://federalpolice.com:article872 () 1075686747
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Mon, 16 Feb 2004 10:08:47 +0530
this is not a zip file - its a windows exe complete with a MZ header and calls to LoadLibraryA  & GetProcAddress 
exported from KERNEL32.dll 

am debugging thu it - to see what exactly it does...

(this one is real good) but how come ie and mozilla started it up as a java applet without any error message ?

-aditya


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Nicola
Fankhauser
Sent: Monday, February 16, 2004 12:50 AM
To: full-disclosure () lists netsys com
Subject: [Full-Disclosure] Re: [Full-disclosure]
http://federalpolice.com:article872 () 1075686747


hi jedi

On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote: 

  This is equivalent to http://64.29.173.91/


ok, and the html of the index page is as following:

<html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
<h2>SERVER ERROR 550</h2>
<applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 
HEIGHT=1></applet></body></html>

now, the "SERVER ERROR 550" is clearly a fake - the java applet below
just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
happily start the applet without any hickups or exceptions and mozilla
states 'Applet BlackBox started' in the status bar.

is there anybody knowledgable interested in un-zipping, de-compiling and
analysing this surely malicious applet? I would like to know what
mozilla just executed on my behalf there... :(

FYI, the file 'javautil.zip' attached is directly taken from the site
mentioned above.

regards
nicola




________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]