[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
- To: "Kristian Hermansen" <khermansen@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
- From: "ajrarn" <ajrarn1@xxxxxxxxxxx>
- Date: Wed, 3 Mar 2004 12:00:53 +0100
It's a worm, detected by OfficeScan (patern 697) as bagle.J.
Regards. Yoran
| -----Message d'origine-----
| De : full-disclosure-admin@xxxxxxxxxxxxxxxx
| [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx]De la part de Kristian
| Hermansen
| Envoye : mardi 2 mars 2004 23:34
| A : full-disclosure@xxxxxxxxxxxxxxxx
| Objet : [Full-Disclosure] Backdoor not recognized by Kaspersky
|
|
| Attached backdoor not recognized by Kaspersky or Norton 2004? I received
| this file recently, but Kaspersky did not detect malicious code.
| Wondering
| if any of you guys know about it or have analyzed it before? It is
| definitely NOT a text document. I opened it up with WinHex and
| see the file
| "yfivyjmg.exe" in there towards the beginning. Looks to be a packed exe
| within, and first few bytes are:
|
| 504B03040A0001000000C07E62309FE242510C300000003000000C00000079666
| 976796A6D67
| 2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE71
| 2E68000E55E
| E8A39241
|
| Last few bytes are:
|
| E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EA
| E0D2BA2A6EF
| 88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309
| FE242510C30
| 0000003000000C000000000000000100200000000000000079666976796A6D672
| E657865504B
| 050600000000010001003A000000363000000000
|
| I am reluctant to open the zip right now, as I fear it may be
| exploiting an
| overflow to run the EXE file within. I may try to open it on a virtual
| machine later, but if you guys do know anything about this one
| please let me
| know. It's nice and small too (12 KB)! Wonder if the guy wrote
| it himself.
| Of course, the IP address is spoofed to a University of Chicago
| machine. Is
| it even possible to trace back? I still have the full headers, but they
| looked nicely stripped to the gills. I have been receiving
| elevated attacks
| via email over the last few days, so maybe it is some guy on this list
| trying to get me ;-) One previous email stated that it was the
| FBI and to
| call a number listed in the email. This was most likely an
| attempt to get
| the number I was calling from. This guy thinks he's smooth...
|
|
| Kristian Hermansen
| khermansen@xxxxxxxxxxxxxxxxx
|
| -----Original Message-----
| From: management@xxxxxxxxxxxx [mailto:management@{blankedout}.com]
| Sent: Tuesday, March 02, 2004 5:03 PM
| To: webmaster@{blankedout}.com
| Subject: E-mail account security warning.
|
| Dear user of {blankedout}.com gateway e-mail server,
|
| Your e-mail account has been temporary disabled because of unauthorized
| access.
|
| For details see the attached file.
|
| For security purposes the attached file is password
| protected. Password
| is "65316".
|
| Best wishes,
| The {blankedout}.com team http://www.
| {blankedout}..com
|
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html