RE: [Full-Disclosure] New virus?

Mon, 27 Sep 2004 13:48:46 -0700 

Looks like WINKERNEL132.EXE is the dropper file. The server that is
offering those files is pretty tight, but the Apache isn't setup
correctly. You can get any file...including the passwd file. Nessus
reported this, don't have time to find out...just FYI.

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of the rxmr
Sent: Monday, September 27, 2004 2:14 PM
To: Bernardo Santos Wernesback
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] New virus?

----- Original Message -----
From: Bernardo Santos Wernesback <[EMAIL PROTECTED]>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-Disclosure] New virus?
To: [EMAIL PROTECTED]

 
Hi everyone, 
  
Has anyone seen a lot of HTTP activity to a certain site:
http://www.fotosgratis.pop.com.br ?
  
One of our clients has several machines making tons of requests for TXT
files on that server:
  
botao.txt
mswinsck.txt
ita01.txt
caixa01.txt
teclado07.txt
caixa01.txt
caixa02.txt
caixa03.txt
caixa04.txt
caixa05.txt 
  
Thanks for any info., 
 
 

_____________________________________________________ 
 

Bernardo Santos Wernesback 

 
 

ESSE,ESS,SCSE,CCNA/DA, 
 

CCSA,CQS,MCP 
 

  
 


Consultant / ISH Tecnologia  

  
 

Phone: +55-27-3334-8900 

 
 

Mobile: +55-27-8111-0884 
 

Email: [EMAIL PROTECTED] 

  PGP Fingerprint:
   6A42 3701 70D7 FD0F 5FA9  D232 CDD4 6189 EF43 95F5  
  
This should answer your quetions.

It is a trojan - TROJ_BANCOS.BW or a variant.

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
name=TROJ_BANCOS.BW

>From the page:

"
Description:

This Trojan attempts to download the following image files in the folder
%Windows%\inf:

    * botao.bmp
    * caixa01.jpg
    * caixa02.jpg
    * caixa04.jpg
    * caixa05.jpg
    * ita01.jpg
    * teclado_05.jpg
    * teclado_07.jpg
    * teclado_gere03.jpg
    * teclado_gere04.jpg
    * teclado_gere05.jpg
    * teclado_gere06.jpg
"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to