[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Backdoor not recognized by Kaspersky

VirusScreen ASaP detected virus in attachment sent to you by "Kristian
Hermansen" <khermansen@xxxxxxxxxxxxxxxxx>. The file has been processed with
the following result:


G.Paul Niranjan Babu

-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On Behalf Of Kristian
Sent: Wednesday, March 03, 2004 4:04 AM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] Backdoor not recognized by Kaspersky

Attached backdoor not recognized by Kaspersky or Norton 2004?  I received
this file recently, but Kaspersky did not detect malicious code.  Wondering
if any of you guys know about it or have analyzed it before?  It is
definitely NOT a text document.  I opened it up with WinHex and see the file
"yfivyjmg.exe" in there towards the beginning.  Looks to be a packed exe
within, and first few bytes are:


Last few bytes are:


I am reluctant to open the zip right now, as I fear it may be exploiting an
overflow to run the EXE file within.  I may try to open it on a virtual
machine later, but if you guys do know anything about this one please let me
know.  It's nice and small too (12 KB)!  Wonder if the guy wrote it himself.
Of course, the IP address is spoofed to a University of Chicago machine.  Is
it even possible to trace back?  I still have the full headers, but they
looked nicely stripped to the gills.  I have been receiving elevated attacks
via email over the last few days, so maybe it is some guy on this list
trying to get me ;-)  One previous email stated that it was the FBI and to
call a number listed in the email.  This was most likely an attempt to get
the number I was calling from.  This guy thinks he's smooth...

Kristian Hermansen

-----Original Message-----
From: management@xxxxxxxxxxxx [mailto:management@{blankedout}.com] 
Sent: Tuesday, March 02, 2004 5:03 PM
To: webmaster@{blankedout}.com
Subject: E-mail account security warning.

Dear user of  {blankedout}.com  gateway e-mail server,

Your  e-mail account has been temporary disabled because of unauthorized

For details see the attached file.

For security  purposes  the  attached file  is password protected.  Password
is "65316".

Best  wishes,
    The {blankedout}.com  team                               http://www.

<<attachment: winmail.dat>>