To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
FYI. - - ferg [forwarded message[ Date: Sat, 24 Nov 2007 23:17:32 -0500 From: jayjwa <[EMAIL PROTECTED]> To: Dshield Mail List <[EMAIL PROTECTED]> (Possibly) new trojans. These came from a link spammed out in email that ended up in my Hotmail inbox. The files are win32 PE's, with some interesting strings embedded in them. One of the files appears to be a server of some sort with smtp ability. There's also alot of calls to graphics routines, so maybe one of the files is a client or user interface of some type. Written in Delphi, downloaded from suspiroamor.land.ru, root directory. amor.com: The only file linked in the email. Probably downloads/exec others. Interesting strings: taskkill -f /im gbpsv.exe C:\Arquivos de programas\GbPlugin\gbieh.dll C:\Arquivos de programas\GbPlugin\gbieh.gmd C:\windows\Crime.exe C:\WINDOWS\system32\WormList.exe URLDownloadToFileA shell32.dll ShellExecuteA derby.com: Referenced in the above file. javas.com: Same. Contains an email template, lots of calls to Winsock. Interesting hardcoded strings: msnlist.txt [EMAIL PROTECTED] Lista MSN ( gsmtp185.google.com hsResolving hsConnecting hsConnected hsDisconnecting hsDisconnected hsStatusText ftpTransfer ftpReady ftpAborted IdComponent TIdStatusEvent ASender Indy 9.00.10 X-Library * About to connect() to suspiroamor.land.ru port 80 (#0) * Trying 82.204.219.223... connected * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0) > GET /javas.com HTTP/1.1 > User-Agent: from Russia with love? > Host: suspiroamor.land.ru > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/0.5.31 < Date: Sun, 25 Nov 2007 03:09:45 GMT < Content-Type: application/octet-stream < Content-Length: 523264 < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT < Connection: keep-alive < Accept-Ranges: bytes < { [data not shown] The signature/data files are a bit old (Nov. 9) but F-prot had this to say: amor.com Infection: Possibly a new variant of W32/NewMalware-LSU-based!Maximus Available as downloaded above, or local copies together in a zip for anyone that wants to look at them: https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi roamor-land-ru-trojan.zip Useful tool to examine binaries: http://hte.sourceforge.net/ _________________________________________ SANS Network Security 2007 in Las Vegas September 22-30. 39 courses, SANS top instructors. http://www.sans.org/info/9346 [end] -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHSQItq1pz9mNUZTMRArBiAKDhPOCDlh865OKNmWKoJ31HxpkP4ACgwERp ClmmyWOq7b4jtO8GaqG2OrI= =Q5s/ -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets