RE: [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 02/16/04

  • Next message: S-Quadra Security Research: "[Full-Disclosure] EarlyImpact ProductCart shopping cart software multiple security vulnerabilities"
    To: <n.teusink@planet.nl>, <full-disclosure@lists.netsys.com>
    Date: Mon, 16 Feb 2004 09:22:51 +0530
    
    

    this is a keylogger that will mail out your intresting logs to some russian address!
    so beware of this one,

    but what i couldent understand is how is this file executed ?

    -aditya

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of
    > n.teusink@planet.nl
    > Sent: Sunday, February 15, 2004 11:40 PM
    > To: full-disclosure@lists.netsys.com
    > Subject: [Full-Disclosure] Re:
    > http://federalpolice.com:article872@1075686747
    >
    >
    > From the source of that page:
    >
    > APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1
    >
    > BlackBox.class is detected immediately by my virusscanner as
    > ClassLoader/E, more
    > info:
    > http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm
    >
    > The javautil.zip appears to be an exe file renamed to zip. The
    > exe is compressed with
    > FSG.
    >
    > Interresting pieces of output from strings on the decompressed exe:
    >
    >
    > ----------------------------------------------BEGIN
    > HookerDll.Dll
    > Install
    > Uninstall
    > EDIT
    > %s\%s
    > WVS3
    > \kgn.txt
    > Hooker.dll
    > Install
    > Uninstall
    > Westpac
    > bendigo
    > Bendigo
    > e-bendigo
    > e-Bendigo
    > commbank
    > Commonwealth
    > NetBank
    > Citibank
    > Bank of America
    > e-gold
    > e-bullion
    > e-Bullion
    > evocash
    > EVOCash
    > EVOcash
    > intgold
    > INTGold
    > paypal
    > PayPal
    > bankwest
    > Bank West
    > BankWest
    > National Internet Banking
    > cibc
    > CIBC
    > scotiabank
    > ScotiaBank
    > Scotia Bank
    > bank of montreal
    > Bank of Montreal
    > royalbank
    > Royal Bank
    > RoyalBank
    > tdwaterhouse
    > TD Canada Trust
    > TD Waterhouse
    > president's choice
    > President's Choice
    > President Choice
    > suncorpmetway
    > Suncorp
    > macquarie
    > Macquarie
    > INTgold
    > 1mdc
    > 1MDC
    > TD Waterhouse
    > goldmoney
    > GoldMoney
    > goldgrams
    > pecunix
    > Pecunix
    > Pecun!x
    > hyperwallet
    > HyperWallet
    > Wells Fargo
    > Bank One
    > Banesto
    > CAIXA
    > SunTrust
    > Sun Trust
    > Discover Card
    > Washington Mutual
    > Wachovia
    > desjardins
    > Chase
    > 0+060F0
    > 1$11161J1U1i1
    > 2.2I2\2
    > 3'3,3E3c3h3r3
    > 4%42484>4D4J4P4V4\4b4h4n4t4z4
    > DATA
    > EHLO localhost
    > Subject: KeyLog from (%s)
    > MAIL FROM:<pentasatan@mail.ru>
    > RCPT TO:<pentasatan@mail.ru>
    > SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > open
    > pstorec.dll
    > PStoreCreateInstance
    > internet explorer
    > http://
    > wininetcachecredentials
    > Cookie:
    > ----------------------------------------------END
    >
    > I think you can draw your own conclusions about this file.
    >
    > Niels
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    ________________________________________________________________________
    Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: S-Quadra Security Research: "[Full-Disclosure] EarlyImpact ProductCart shopping cart software multiple security vulnerabilities"