Full Disclosure mailing list archives
RE: http://federalpolice.com:article872@1075686747
From: "Remko Lodder" <remko () elvandar org>
Date: Mon, 16 Feb 2004 01:14:27 +0100
Hi,
Just wanted to reply on this
my Mailscanner reported this:
Our content checker found
virus: TrojanSpy.Agent.D
in an email to you from:
stating this from the message Nicola send.
I think that could give some more info.
Anyways. My AV scanner is ClamAV.
Cheers.
--
Kind regards,
Remko Lodder
Elvandar.org/DSINet.org
www.mostly-harmless.nl Dutch community for helping newcomers on the
hackerscene
mrtg.grunn.org Dutch mirror of MRTG
-----Oorspronkelijk bericht-----
Van: full-disclosure-bounces () lists elvandar org
[mailto:full-disclosure-bounces () lists elvandar org]Namens Erik van
Straten
Verzonden: zondag 15 februari 2004 23:40
Aan: Nicola Fankhauser
CC: full-disclosure () lists netsys com
Onderwerp: Re: [Full-Disclosure]
http://federalpolice.com:article872@1075686747
Hi Nicola,
It's not a zip file, not an applet, but a plain EXE file. Seems
compressed somehow, no time to figure it out now. Dunno why Mozilla
runs this (I don't like it).
If something showed up in your status bar, you should definitely assume
your box was compromised.
Take care out there,
Erik
On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
hi jedi On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:This is equivalent to http://64.29.173.91/ok, and the html of the index page is as following: <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff> <h2>SERVER ERROR 550</h2> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1
HEIGHT=1></applet></body></html>
now, the "SERVER ERROR 550" is clearly a fake - the java applet below just starts fine. strangely, the 'javautil.zip' is not a valid zip-file, yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :) happily start the applet without any hickups or exceptions and mozilla states 'Applet BlackBox started' in the status bar. is there anybody knowledgable interested in un-zipping, de-compiling and analysing this surely malicious applet? I would like to know what mozilla just executed on my behalf there... :( FYI, the file 'javautil.zip' attached is directly taken from the site mentioned above. regards nicola
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-disclosure mailing list Full-disclosure () lists elvandar org http://lists.elvandar.org/mailman/listinfo/full-disclosure _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 15)
- RE: Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- <Possible follow-ups>
- RE: http://federalpolice.com:article872@1075686747 Remko Lodder (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 first last (Feb 15)
- RE:http://federalpolice.com:article872@1075686747 Tom Koehler (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 n . teusink (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 madsaxon (Feb 16)
- RE: Re: http://federalpolice.com:article872@1075686747 Nick Jacobsen (Feb 16)
