Full Disclosure mailing list archives
RE: New virus?
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 27 Sep 2004 15:22:43 -0500
Looks like WINKERNEL132.EXE is the dropper file. The server that is offering those files is pretty tight, but the Apache isn't setup correctly. You can get any file...including the passwd file. Nessus reported this, don't have time to find out...just FYI. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of the rxmr Sent: Monday, September 27, 2004 2:14 PM To: Bernardo Santos Wernesback Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] New virus? ----- Original Message ----- From: Bernardo Santos Wernesback <bernardo () ish com br> Date: Mon, 27 Sep 2004 14:44:58 -0300 Subject: [Full-disclosure] New virus? To: full-disclosure () lists netsys com Hi everyone, Has anyone seen a lot of HTTP activity to a certain site: http://www.fotosgratis.pop.com.br ? One of our clients has several machines making tons of requests for TXT files on that server: botao.txt mswinsck.txt ita01.txt caixa01.txt teclado07.txt caixa01.txt caixa02.txt caixa03.txt caixa04.txt caixa05.txt Thanks for any info., _____________________________________________________ Bernardo Santos Wernesback ESSE,ESS,SCSE,CCNA/DA, CCSA,CQS,MCP Consultant / ISH Tecnologia Phone: +55-27-3334-8900 Mobile: +55-27-8111-0884 Email: bernardo () ish com br PGP Fingerprint: 6A42 3701 70D7 FD0F 5FA9 D232 CDD4 6189 EF43 95F5 This should answer your quetions. It is a trojan - TROJ_BANCOS.BW or a variant. http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V name=TROJ_BANCOS.BW
From the page:
" Description: This Trojan attempts to download the following image files in the folder %Windows%\inf: * botao.bmp * caixa01.jpg * caixa02.jpg * caixa04.jpg * caixa05.jpg * ita01.jpg * teclado_05.jpg * teclado_07.jpg * teclado_gere03.jpg * teclado_gere04.jpg * teclado_gere05.jpg * teclado_gere06.jpg " _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- New virus? Bernardo Santos Wernesback (Sep 27)
- Re: New virus? Harlan Carvey (Sep 27)
- Re: New virus? Exibar (Sep 27)
- Re: New virus? the rxmr (Sep 27)
- Re: New virus? the rxmr (Sep 27)
- Re: New virus? Adam Jacob Muller (Sep 27)
- Re: New virus? Vince is a dickhead (Sep 27)
- <Possible follow-ups>
- RE: New virus? Todd Towles (Sep 27)
- RE: New virus? Todd Towles (Sep 27)
- Re: New virus? Harlan Carvey (Sep 27)