Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Backdoor not recognized by Kaspersky
From: <Jyri.Tamminen () tietoenator com>
Date: Wed, 3 Mar 2004 12:46:19 +0200


Looks like W32.Bagle.J worm.
More information:


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Kristian
Sent: 3. maaliskuuta 2004 0:34
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] Backdoor not recognized by Kaspersky

Attached backdoor not recognized by Kaspersky or Norton 2004?  I
received this file recently, but Kaspersky did not detect malicious
code.  Wondering if any of you guys know about it or have analyzed it
before?  It is definitely NOT a text document.  I opened it up with
WinHex and see the file "yfivyjmg.exe" in there towards the beginning.
Looks to be a packed exe within, and first few bytes are:


Last few bytes are:


I am reluctant to open the zip right now, as I fear it may be exploiting
an overflow to run the EXE file within.  I may try to open it on a
virtual machine later, but if you guys do know anything about this one
please let me know.  It's nice and small too (12 KB)!  Wonder if the guy
wrote it himself. Of course, the IP address is spoofed to a University
of Chicago machine.  Is it even possible to trace back?  I still have
the full headers, but they looked nicely stripped to the gills.  I have
been receiving elevated attacks via email over the last few days, so
maybe it is some guy on this list trying to get me ;-)  One previous
email stated that it was the FBI and to call a number listed in the
email.  This was most likely an attempt to get the number I was calling
from.  This guy thinks he's smooth...

Kristian Hermansen
khermansen () ht-technology com

-----Original Message-----
From: management () zerotoys com [mailto:management () {blankedout} com] 
Sent: Tuesday, March 02, 2004 5:03 PM
To: webmaster () {blankedout} com
Subject: E-mail account security warning.

Dear user of  {blankedout}.com  gateway e-mail server,

Your  e-mail account has been temporary disabled because of unauthorized

For details see the attached file.

For security  purposes  the  attached file  is password protected.
Password is "65316".

Best  wishes,
    The {blankedout}.com  team                               http://www.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]