Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Backdoor not recognized by Kaspersky
From: "ajrarn" <ajrarn1 () ifrance com>
Date: Wed, 3 Mar 2004 12:00:53 +0100

It's a worm, detected by OfficeScan (patern 697)  as bagle.J.

Regards. Yoran

 | -----Message d'origine-----
 | De : full-disclosure-admin () lists netsys com
 | [mailto:full-disclosure-admin () lists netsys com]De la part de Kristian
 | Hermansen
 | Envoye : mardi 2 mars 2004 23:34
 | A : full-disclosure () lists netsys com
 | Objet : [Full-Disclosure] Backdoor not recognized by Kaspersky
 |
 |
 | Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
 | this file recently, but Kaspersky did not detect malicious code.
 |  Wondering
 | if any of you guys know about it or have analyzed it before?  It is
 | definitely NOT a text document.  I opened it up with WinHex and
 | see the file
 | "yfivyjmg.exe" in there towards the beginning.  Looks to be a packed exe
 | within, and first few bytes are:
 |
 | 504B03040A0001000000C07E62309FE242510C300000003000000C00000079666
 | 976796A6D67
 | 2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE71
 | 2E68000E55E
 | E8A39241
 |
 | Last few bytes are:
 |
 | E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EA
 | E0D2BA2A6EF
 | 88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309
 | FE242510C30
 | 0000003000000C000000000000000100200000000000000079666976796A6D672
 | E657865504B
 | 050600000000010001003A000000363000000000
 |
 | I am reluctant to open the zip right now, as I fear it may be
 | exploiting an
 | overflow to run the EXE file within.  I may try to open it on a virtual
 | machine later, but if you guys do know anything about this one
 | please let me
 | know.  It's nice and small too (12 KB)!  Wonder if the guy wrote
 | it himself.
 | Of course, the IP address is spoofed to a University of Chicago
 | machine.  Is
 | it even possible to trace back?  I still have the full headers, but they
 | looked nicely stripped to the gills.  I have been receiving
 | elevated attacks
 | via email over the last few days, so maybe it is some guy on this list
 | trying to get me ;-)  One previous email stated that it was the
 | FBI and to
 | call a number listed in the email.  This was most likely an
 | attempt to get
 | the number I was calling from.  This guy thinks he's smooth...
 |
 |
 | Kristian Hermansen
 | khermansen () ht-technology com
 |
 | -----Original Message-----
 | From: management () zerotoys com [mailto:management () {blankedout} com]
 | Sent: Tuesday, March 02, 2004 5:03 PM
 | To: webmaster () {blankedout} com
 | Subject: E-mail account security warning.
 |
 | Dear user of  {blankedout}.com  gateway e-mail server,
 |
 | Your  e-mail account has been temporary disabled because of unauthorized
 | access.
 |
 | For details see the attached file.
 |
 | For security  purposes  the  attached file  is password
 | protected.  Password
 | is "65316".
 |
 | Best  wishes,
 |     The {blankedout}.com  team                               http://www.
 | {blankedout}..com
 |

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]