Full Disclosure mailing list archives

Re: Any idea about that?

From: James Woodcock <spamtrap2 () austarnet com au>
Date: Fri, 10 Sep 2004 12:19:53 +1000


Syed Imran Ali wrote:

> I received this file through email (Yahoo) nothing was detected from
> Yahoo or NAV 2003. According to my understanding this is some kind of
> worm or irc-bot. I found this file making connections on port 6667
> 6660 and opening major important ports on the infected PC.

The zip file contains a file called sexygirl.exe. It's actually just anHTML document gives a download link for another file called"sexygirl.exe" from www.pcpages.com/imbonga/

On Mozilla 1.7, I still needed to click on the link to start thedownload, but there is this javascript in there that might do somethingunder the right conditions?


> document write

> ("<AHREF='http://banner2.inet-traffic.com/oasisc.php?s=3&w=300&h=60&cb="; +spreeaddatestr + "'>")> document write ("<IMGSRC='http://banner2.inet-traffic.com/oasisi.php?s=3&w=300&h=60&cb="; +spreeaddatestr + "?' WIDTH=468 HEIGHT=60 BORDER=0 ALT='Click Here'></A>")

the spreeaddatestr is clear enough, (a set of time values - For trackingthe spread?) but what oasisc.php is doing with those values, who knows?

Anyway, I sent the second sexygirl.exe file off to virustotal and here'sthe results


Scan results from VirusTotal
 File: sexygirl2.exe
 Date: 09/10/2004 03:38:33
----
BitDefender     7.0/20040909            found [Backdoor.SDBot.Gen]
NOD32v2         1.867/20040909          found [prob. unknown NewHeur_PE]
Norman          5.70.10/20040909        found [W32/Backdoor]
Panda           7.02.00/20040909        found [W32/Gaobot.gen.worm]
Sybari          7.5.1314/20040910       found [Win32/IRCBot.Variant]
McAfee          4390/20040908           found nothing
McAfee          4390/20040908           found nothing
Symantec        8.0/20040909            found nothing
TrendMicro      7.000/20040908          found nothing
ClamWin      devel-20040822/20040908    found nothing

That's the nasty one.

James

--
This isn't life in the fast lane, this is life in the oncoming traffic!
                                        ...Terry Pratchett

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Any idea about that? Syed Imran Ali (Sep 09)
- Re: Any idea about that? James Woodcock (Sep 09)
- Re: Any idea about that? Harlan Carvey (Sep 10)
- Re: Any idea about that? James Woodcock (Sep 10)
- <Possible follow-ups>
- Re: Any idea about that? Feher Tamas (Sep 10)