To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
derby.com looks like an installer, given it's size (~ 1.8 MB). In
fact, if you take a look at section .pklstb (located at 0xa400), you
see:
0f73000 688030f7 0068bec7 12016800 000000e8 h.0..h....h.....
0f73010 aa971b00 e92fdc54 ff402823 29504b4c ...../.T.@(#)PKL
0f73020 49544533 3220436f 70797269 67687420 ITE32 Copyright
0f73030 31393938 20504b57 41524520 496e632e 1998 PKWARE Inc.
0f73040 2c20416c 6c205269 67687473 20526573 , All Rights Res
0f73050 65727665 64202824 52657669 73696f6e erved ($Revision
0f73060 3a202429 00504b4c 54333200 00100100 : $).PKLT32.....
On Sun, Nov 25, 2007 at 05:03:41AM +0000, Paul Ferguson babbled thus:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> FYI.
>
> - ferg
>
> [forwarded message[
>
>
> Date: Sat, 24 Nov 2007 23:17:32 -0500
> From: jayjwa <[EMAIL PROTECTED]>
> To: Dshield Mail List <[EMAIL PROTECTED]>
>
>
> (Possibly) new trojans. These came from a link spammed out in email
> that ended up in my Hotmail inbox. The files are win32 PE's, with some
> interesting strings embedded in them. One of the files appears to be a
> server of some sort with smtp ability. There's also alot of calls to
> graphics routines, so maybe one of the files is a client or user
> interface of some type. Written in Delphi, downloaded from
> suspiroamor.land.ru, root directory.
>
> amor.com: The only file linked in the email. Probably downloads/exec
> others.
>
> Interesting strings:
>
> taskkill -f /im gbpsv.exe
> C:\Arquivos de programas\GbPlugin\gbieh.dll
> C:\Arquivos de programas\GbPlugin\gbieh.gmd
> C:\windows\Crime.exe
> C:\WINDOWS\system32\WormList.exe
> URLDownloadToFileA
> shell32.dll
> ShellExecuteA
>
> derby.com: Referenced in the above file.
>
> javas.com: Same. Contains an email template, lots of calls to Winsock.
>
> Interesting hardcoded strings:
>
> msnlist.txt
> [EMAIL PROTECTED]
> Lista MSN (
> gsmtp185.google.com
>
> hsResolving
> hsConnecting
> hsConnected
> hsDisconnecting
> hsDisconnected
> hsStatusText
> ftpTransfer
> ftpReady
> ftpAborted
> IdComponent
> TIdStatusEvent
> ASender
>
> Indy 9.00.10
> X-Library
>
> * About to connect() to suspiroamor.land.ru port 80 (#0)
> * Trying 82.204.219.223... connected
> * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
> > GET /javas.com HTTP/1.1
> > User-Agent: from Russia with love?
> > Host: suspiroamor.land.ru
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx/0.5.31
> < Date: Sun, 25 Nov 2007 03:09:45 GMT
> < Content-Type: application/octet-stream
> < Content-Length: 523264
> < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
> < Connection: keep-alive
> < Accept-Ranges: bytes
> <
> { [data not shown]
>
>
> The signature/data files are a bit old (Nov. 9) but F-prot had this to say:
>
> amor.com Infection: Possibly a new variant of
> W32/NewMalware-LSU-based!Maximus
>
> Available as downloaded above, or local copies together in a zip for
> anyone that wants to look at them:
>
> https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspi
> roamor-land-ru-trojan.zip
>
> Useful tool to examine binaries:
> http://hte.sourceforge.net/
>
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors. http://www.sans.org/info/9346
>
> [end]
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg(at)netzero.net
> ferg's tech blog: http://fergdawg.blogspot.com/
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
