Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

JPEG GDI+ (MS04-028) Exploit at http://www.splitinfinity.info
From: bowwow () nowhere org
Date: Mon, 11 Oct 2004 17:02:15 +0800

Gosh.....our Snort oinking another one @
hxxp://www.splitinfinity.info/fa/blok.jpg with payload @
hxxp://www.splitinfinity.info/fa/blok.jpg/fa/aga.exe .

Here is the scan results from http://www.virustotal.com :

=============
This is the report of the scanning done over "aga.exe" file that
VirusTotal processed on 10/11/2004 at 10:42:52.
Antivirus Version Update Result 
BitDefender 7.0 10.09.2004 - 
ClamWin devel-20040922 10.10.2004 - 
eTrust-Iris 7.1.194.0 10.10.2004 - 
F-Prot 3.15b 10.09.2004 - 
Kaspersky 4.0.2.24 10.11.2004 TrojanDownloader.Win32.Small.oh 
McAfee 4397 10.06.2004 - 
NOD32v2 1.890 10.10.2004 unpack error 
Norman 5.70.10 10.07.2004 W32/Downloader 
Panda 7.02.00 10.10.2004 - 
Sybari 7.5.1314 10.11.2004 TrojanDownloader.Win32.Small.oh 
Symantec 8.0 10.10.2004 - 
TrendMicro 7.000 10.10.2004 - 
=============


Hmmm.....no much info on this TrojanDownloader.Win32.Small.oh , any
taker wanna dissect it? :)

Btw thx to the Peter Kruse  & Willem Koenings of [Full-Disclosure]
lists on giving more details on Backdoor.Netsnake.h .

Cheers,
bowwow
 


On Sat, 09 Oct 2004 09:10:22 +0800 , bowwow wrote:

Got this from company network on Snort oinking "WEB-CLIENT JPEG parser
heap overflow attempt"
(http://www.snort.org/snort-db/sid.html?sid=1-2705).

Hex verified its hxxp://home.zccn.net/mm2004/mu/nc.jpg with payload @
hxxp://home.zccn.net/mm2004/mu/msmsgs.exe infected by netsnake.h
trojan (http://www.google.com.sg/search?hl=en&q=netsnake.h)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • JPEG GDI+ (MS04-028) Exploit at http://www.splitinfinity.info bowwow (Oct 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]