To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- derby.com looks like an installer, given it's size (~ 1.8 MB). In fact, if you take a look at section .pklstb (located at 0xa400), you see: 0f73000 688030f7 0068bec7 12016800 000000e8 h.0..h....h..... 0f73010 aa971b00 e92fdc54 ff402823 29504b4c ...../.T.@(#)PKL 0f73020 49544533 3220436f 70797269 67687420 ITE32 Copyright 0f73030 31393938 20504b57 41524520 496e632e 1998 PKWARE Inc. 0f73040 2c20416c 6c205269 67687473 20526573 , All Rights Res 0f73050 65727665 64202824 52657669 73696f6e erved ($Revision 0f73060 3a202429 00504b4c 54333200 00100100 : $).PKLT32.....
On Sun, Nov 25, 2007 at 05:03:41AM +0000, Paul Ferguson babbled thus: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > FYI. > > - ferg > > [forwarded message[ > > > Date: Sat, 24 Nov 2007 23:17:32 -0500 > From: jayjwa <[EMAIL PROTECTED]> > To: Dshield Mail List <[EMAIL PROTECTED]> > > > (Possibly) new trojans. These came from a link spammed out in email > that ended up in my Hotmail inbox. The files are win32 PE's, with some > interesting strings embedded in them. One of the files appears to be a > server of some sort with smtp ability. There's also alot of calls to > graphics routines, so maybe one of the files is a client or user > interface of some type. Written in Delphi, downloaded from > suspiroamor.land.ru, root directory. > > amor.com: The only file linked in the email. Probably downloads/exec > others. > > Interesting strings: > > taskkill -f /im gbpsv.exe > C:\Arquivos de programas\GbPlugin\gbieh.dll > C:\Arquivos de programas\GbPlugin\gbieh.gmd > C:\windows\Crime.exe > C:\WINDOWS\system32\WormList.exe > URLDownloadToFileA > shell32.dll > ShellExecuteA > > derby.com: Referenced in the above file. > > javas.com: Same. Contains an email template, lots of calls to Winsock. > > Interesting hardcoded strings: > > msnlist.txt > [EMAIL PROTECTED] > Lista MSN ( > gsmtp185.google.com > > hsResolving > hsConnecting > hsConnected > hsDisconnecting > hsDisconnected > hsStatusText > ftpTransfer > ftpReady > ftpAborted > IdComponent > TIdStatusEvent > ASender > > Indy 9.00.10 > X-Library > > * About to connect() to suspiroamor.land.ru port 80 (#0) > * Trying 82.204.219.223... connected > * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0) > > GET /javas.com HTTP/1.1 > > User-Agent: from Russia with love? > > Host: suspiroamor.land.ru > > Accept: */* > > > < HTTP/1.1 200 OK > < Server: nginx/0.5.31 > < Date: Sun, 25 Nov 2007 03:09:45 GMT > < Content-Type: application/octet-stream > < Content-Length: 523264 > < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT > < Connection: keep-alive > < Accept-Ranges: bytes > < > { [data not shown] > > > The signature/data files are a bit old (Nov. 9) but F-prot had this to say: > > amor.com Infection: Possibly a new variant of > W32/NewMalware-LSU-based!Maximus > > Available as downloaded above, or local copies together in a zip for > anyone that wants to look at them: > > https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi > roamor-land-ru-trojan.zip > > Useful tool to examine binaries: > http://hte.sourceforge.net/ > > _________________________________________ > SANS Network Security 2007 in Las Vegas September 22-30. 39 courses, > SANS top instructors. http://www.sans.org/info/9346 > > [end] > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets