Howdy,
I also just received a file called AJPIIDAJ.EXE.
Its 23,040 bytes in size - larger than what Peter Harkins was sent (20,340
- maybe a typo?)
notice the name of the guys's box that sent it....
--------------------------
X-Persona: <gilbert.a_at_neo>
Received: from hacker (ppp-171-74.30-151.libero.it [151.30.74.171])
by xticket (2.5 Build 2640 (Berkeley 8.8.6)/8.8.4) with SMTP
id IAA00042 for <gilbert.a_at_neo.net.au>; Sat, 03 Feb 2001 08:01:46 -0800
Date: Sat, 03 Feb 2001 08:01:46 -0800
Message-Id: <200102031601.IAA00042_at_xticket>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--VEJS9Q7KLYBGHYBK5"
Attachment Converted: "c:\temp\AJPIIDAJ.EXE"
--------------------------
Content-Type: multipart/mixed; boundary=" ^èÓ� èÝ� OO¸"
«OèÉ� ‹�$…ÀuPè1 Content-Type: text/plain; charset="us-ascii"
^è}� ‹t$�èt� f¸
f«èr� è/ Content-Type: application/octet-stream; name=" ^è/� ‹t$�Æ ø
è � èR "
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="
--------------------------
Also found these straight from the binary:
MIME-Version: 1.0
RCPT TO:
.EXE
KIEBGFCO ��HYBRIS
h32.DhWS2_T
RSET
smtp
354
250
http
GetModuleHandleA KERNEL32.dll
INI hNIT.hWINIT
"Jay D. Dyson" <jdyson_at_TREACHERY.NET> also found the smtp mailing feature.
Looks more like a worm than a trojan. I guessing it was a .vbs file
compiled into an .exe which does the same thing but used for non-microsoft
email programs which dont support .vbs extensions.
If anyone would like a copy for further analysis, its up at
http://www.neo.net.au/ajpiidaj.exe
After writing this, just found the correct link to f-secure describing the
worm.
http://www.europe.f-secure.com/v-descs/hybris.shtml
Regards,
Gilbert Alaverdian
Senior Security Consultant
Neo Corporation Pty Limited
http://www.neo.net.au
Received on Feb 04 2001
