On Tue, 3 Jul 2007 20:37:57 +0800 Enlightnr <[EMAIL PROTECTED]> wrote:
> I received this trojan e-mail. The website has a .exe download and the page > seems to close firefox (latest version). > I was also able to decode the javascript and found the following does anyone > know what that does? There is a small group of us that have been poking around with these for a few weeks now. We don't know what the unescaped portion of the script you posted does, yet. What we do know is that it is a trojan downloader that downloads a file which in turn downloads yet another file (or two or three) and uses a peer list to connect via a p2p network and send other spam mails. You have probably seen the spam. It's a .gif file 8 or so k that uses upper and lower mixed case characters in it that usually advertises some stock quote or Viagra or the other typical spam we have all come to know and love. It appears to be the peacomm group behind it and they started out as using .hk addreses for the urls and have now switched to IP based urls. Our efforts are on going and we are making a bit of headway decoding the trojaned files. _______________________________________________ phishing mailing list [email protected] http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
