To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FYI.
- - ferg
[forwarded message[
Date: Sat, 24 Nov 2007 23:17:32 -0500
From: jayjwa <[EMAIL PROTECTED]>
To: Dshield Mail List <[EMAIL PROTECTED]>
(Possibly) new trojans. These came from a link spammed out in email
that ended up in my Hotmail inbox. The files are win32 PE's, with some
interesting strings embedded in them. One of the files appears to be a
server of some sort with smtp ability. There's also alot of calls to
graphics routines, so maybe one of the files is a client or user
interface of some type. Written in Delphi, downloaded from
suspiroamor.land.ru, root directory.
amor.com: The only file linked in the email. Probably downloads/exec
others.
Interesting strings:
taskkill -f /im gbpsv.exe
C:\Arquivos de programas\GbPlugin\gbieh.dll
C:\Arquivos de programas\GbPlugin\gbieh.gmd
C:\windows\Crime.exe
C:\WINDOWS\system32\WormList.exe
URLDownloadToFileA
shell32.dll
ShellExecuteA
derby.com: Referenced in the above file.
javas.com: Same. Contains an email template, lots of calls to Winsock.
Interesting hardcoded strings:
msnlist.txt
[EMAIL PROTECTED]
Lista MSN (
gsmtp185.google.com
hsResolving
hsConnecting
hsConnected
hsDisconnecting
hsDisconnected
hsStatusText
ftpTransfer
ftpReady
ftpAborted
IdComponent
TIdStatusEvent
ASender
Indy 9.00.10
X-Library
* About to connect() to suspiroamor.land.ru port 80 (#0)
* Trying 82.204.219.223... connected
* Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
> GET /javas.com HTTP/1.1
> User-Agent: from Russia with love?
> Host: suspiroamor.land.ru
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/0.5.31
< Date: Sun, 25 Nov 2007 03:09:45 GMT
< Content-Type: application/octet-stream
< Content-Length: 523264
< Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
< Connection: keep-alive
< Accept-Ranges: bytes
<
{ [data not shown]
The signature/data files are a bit old (Nov. 9) but F-prot had this to say:
amor.com Infection: Possibly a new variant of
W32/NewMalware-LSU-based!Maximus
Available as downloaded above, or local copies together in a zip for
anyone that wants to look at them:
https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi
roamor-land-ru-trojan.zip
Useful tool to examine binaries:
http://hte.sourceforge.net/
_________________________________________
SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
SANS top instructors. http://www.sans.org/info/9346
[end]
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFHSQItq1pz9mNUZTMRArBiAKDhPOCDlh865OKNmWKoJ31HxpkP4ACgwERp
ClmmyWOq7b4jtO8GaqG2OrI=
=Q5s/
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
