[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
- To: "'Kristian Hermansen'" <khermansen@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
- From: "Larry Seltzer" <larry@xxxxxxxxxxxxxxxx>
- Date: Wed, 3 Mar 2004 06:10:01 -0500
>>Attached backdoor not recognized by Kaspersky or Norton 2004?
It's Bagle/Beagle.J. The problem is that the file is password-protected, so
it's not
obvious how a scanner will get it until it's opened. Notice that the e-mail
includes the
password ("65316"). In fact Norton finds it when the ZIP is opened and the
extracted
file hits the file system.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer@xxxxxxxxxxxxx
-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Kristian Hermansen
Sent: Tuesday, March 02, 2004 5:34 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Backdoor not recognized by Kaspersky
Attached backdoor not recognized by Kaspersky or Norton 2004? I received this
file
recently, but Kaspersky did not detect malicious code. Wondering if any of you
guys
know about it or have analyzed it before? It is definitely NOT a text
document. I
opened it up with WinHex and see the file "yfivyjmg.exe" in there towards the
beginning.
Looks to be a packed exe within, and first few bytes are:
504B03040A0001000000C07E62309FE242510C300000003000000C00000079666976796A6D67
2E6578653A47705E116B1456E7F572AF21A99C0D52671B62085EC94DD8FDABE712E68000E55E
E8A39241
Last few bytes are:
E19F9DC6E1E9F0FAA7CD925D18C9104DCA9DF88955F8AEBD81D036BCB930889EAE0D2BA2A6EF
88A334F8B3108A414B1C9D15AA883225504B010214000A0001000000C07E62309FE242510C30
0000003000000C000000000000000100200000000000000079666976796A6D672E657865504B
050600000000010001003A000000363000000000
I am reluctant to open the zip right now, as I fear it may be exploiting an
overflow to
run the EXE file within. I may try to open it on a virtual machine later, but
if you
guys do know anything about this one please let me know. It's nice and small
too (12
KB)! Wonder if the guy wrote it himself. Of course, the IP address is spoofed
to a
University of Chicago machine. Is it even possible to trace back? I still
have the
full headers, but they looked nicely stripped to the gills. I have been
receiving
elevated attacks via email over the last few days, so maybe it is some guy on
this list
trying to get me ;-) One previous email stated that it was the FBI and to call
a number
listed in the email. This was most likely an attempt to get the number I was
calling
from. This guy thinks he's smooth...
Kristian Hermansen
khermansen@xxxxxxxxxxxxxxxxx
-----Original Message-----
From: management@xxxxxxxxxxxx [mailto:management@{blankedout}.com]
Sent: Tuesday, March 02, 2004 5:03 PM
To: webmaster@{blankedout}.com
Subject: E-mail account security warning.
Dear user of {blankedout}.com gateway e-mail server,
Your e-mail account has been temporary disabled because of unauthorized access.
For details see the attached file.
For security purposes the attached file is password protected. Password is
"65316".
Best wishes,
The {blankedout}.com team http://www.
{blankedout}..com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html