[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Sears Scam Trojan Code

To: segfault <segfault@nycap.rr.com>
Subject: Re: [Full-Disclosure] Sears Scam Trojan Code
From: Jarkko Turkulainen <jt@klake.org>
Date: Fri, 26 Dec 2003 11:30:51 +0200 (EET)

Some more information:

1) When the program is run, it install itself in registry for startup

2) It binds itself a _random_ listen TCP port and starts a proxy service.
The proxy code seems like a "normal" TCP connection forwarder, but I'm not
100% sure yet.

3) It sends the proxy port periodically, every 30 secs to cjdra.com with
the following url: http://cjdra.com/sd/PORT where PORT is the listening
port encoded as follows: for each port digit, do 46h + (39h - port), for
example: 1234 is NMLK. Probably the server is supposed to build some
database of the port/host information.

4) If the response HTTP page contains an ASCII string "upf:FILENAME"
somewhere, the program tries to fetch a file http://cjdra.com/FILENAME
and run it.



Regards,

--
Jarkko Turkulainen <jt@klake.org>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Sears Scam Trojan Code
  - From: "segfault" <segfault@nycap.rr.com>

Prev by Date: Re: [Full-Disclosure] Bugtraq Security Systems XMAS Advisory 0001
Next by Date: Re: [Full-Disclosure] Bugtraq Security Systems XMAS Advisory 0001
Previous by thread: Re: [Full-Disclosure] Sears Scam Trojan Code
Next by thread: [Full-Disclosure] Winnie The Pooh Hacking Squadron Presents: 0day 31337 vulnerability in indent 2.2.9
Index(es):
- Date
- Thread