this is not a zip file - its a windows exe complete with a MZ header and calls to LoadLibraryA & GetProcAddress exported from KERNEL32.dll
am debugging thu it - to see what exactly it does... (this one is real good) but how come ie and mozilla started it up as a java applet without any error message ? -aditya > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Nicola > Fankhauser > Sent: Monday, February 16, 2004 12:50 AM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Re: [Full-Disclosure] > http://federalpolice.com:[EMAIL PROTECTED] > > > hi jedi > > On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote: > > This is equivalent to http://64.29.173.91/ > > ok, and the html of the index page is as following: > > <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff> > <h2>SERVER ERROR 550</h2> > <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 > HEIGHT=1></applet></body></html> > > now, the "SERVER ERROR 550" is clearly a fake - the java applet below > just starts fine. strangely, the 'javautil.zip' is not a valid zip-file, > yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :) > happily start the applet without any hickups or exceptions and mozilla > states 'Applet BlackBox started' in the status bar. > > is there anybody knowledgable interested in un-zipping, de-compiling and > analysing this surely malicious applet? I would like to know what > mozilla just executed on my behalf there... :( > > FYI, the file 'javautil.zip' attached is directly taken from the site > mentioned above. > > regards > nicola > ________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
