[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    RE: New Virus / Trojan ?
From:       "Byrne Ghavalas" <security () nscs ! uk ! com>
Date:       2004-07-27 7:58:48
Message-ID: 20040727075530.13295.qmail () mail ! securityfocus ! com
[Download RAW message or body]

Hi Vincent,

I have seen a few of these as well, but, if I'm not mistaken, Norton
is now detecting them as a MyDoom variant.  Not sure if this is what
you're seeing.

FYI, you may find that the executable is packed using UPX. The
versions of the virus that I saw were packed with UPX 1.24.  After
unpacking the executable, strings provides a lot more info and makes
it much easier to identify the virus.

HTH

Byrne G 

|-----Original Message-----
|From: Vincent Jaussaud [mailto:Vincent.Jaussaud@kelkoo.net] 
|Sent: Monday, July 26, 2004 5:09 PM
|To: incidents@securityfocus.com
|Subject: New Virus / Trojan ?
|
|Hi there;
|
|We just saw a malicious program coming into our network.
|
|As usual, it uses it's own SMTP engine to send itself.
|
|None of our anti-virus knows about it (NAV, ClamScan, File::Scan),
and
|since it's a zip file, it isn't blocked by our mail system.
|
|The zip file contains one file, named (without quotes):
|
|"britney.jpg\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\
|\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
\
|\ \ \ \ \ \ \ \ \ \ \ \ .scr"
|
|The zip file is 33650 bytes; while the scr file is 32768 bytes.
|
|A strings dump of the scr file gives:
|
|VWhd0@
|T$dU
|jyh^V$
|+ QR
|`"a;l
|E:HUP
|VV4t
|JRUND
|LL32.EXE %s,_mainRD
|DllRegisterS
|CLSID\{
|2716A60E-3B39-11D8-81AB-455wy
|35401}
|7 mut1
|b\%c
|c*.Se
|&';7
|)ig?O
|^{t1
|OZ<r
|\son
|r#E5
|47q<o
|J#b|
|?`(.
|KwDr
|\0}7(
| qdk
|0$"=
|C%nWl
|*tyrA
|HCzi
|th|A[
|dx71
|v&r|
|%eL&k
|^?$f
|zVPt
|{oix+
|a68p
|+LGCr
|t'pz
|f/Z0
|]1Yj_p
|09<'
|-[L(,*
|&pe6
|Rl      N
|S:#Z5
|LAD+X
|^#n:
|u[      .wV
|1       -w
|,:vi
|@5}[
|6qz7kM
|anhc{]
|^~>^;
|uTWb
|w*ax
|pQgd
|u(@;;
|w60G
|k1:a
|.'1vf
|a+Y30
|#&Nv
|tS8(
|.86
|4-;;=
|nB^~
|:q;q
|F"1i
|t-wB
|7wq9
|QrBv
|/m}+H
|ow83`
|I_dTp"~
|f|s]
|&\,9
|+)2222('&%vK
|>A+-
|0k>j
|6uRg_
|%       'p
|ydpe
|+YErY
|'@g9E
|rJn@
|&S%q
|\raN
|_F"7r
|7kp(FF
|D!\S
|*f*~
|R,B?6O
|=^$cO
|KC*NA
|{55`
|^dSZ
|.\XJ
|s-eB7
|\j+
|on      S
|a=]|
|<.Vk
|1v/U/
|Ouzm{
|`oD6
|m[w+!
|Zh?l
|9a-CSq
|2J18
|b_ if
|yzk}
|j=Jx
|o,a-
|Z*iga
|Ulc@
|e7)N
|B)=3
|+F8X'
|\'Ix
|faV7
|D.Gwsf
|rO\N
|4SgP
|P`dS
|KHFt
|<e"lK
|6,a@
|Xf3P
|2t0>
|w'|=
|Xj=Q
|-j-j
|J/5R
|b/3
|G4kN
|d20.5Bl
|7,.y
|=6p
|uV[,z
|[)h@\
|Y+rc
|V8B!
|9xZ,
|*[a(
|]%#
|(/,[
|vyyg
|;'A(
|\o[!=
|Z3Q#'
|p'U#')3G
|_:U;
|n=;'
|zsC}
|BhZ6
|=+D-(
|-~n,y
|Vwzr
|&u5,
|P&JC
|]naW
|h)j8
|h3DCaFV`
|s,[#
|7*GP
|$!i#
|ZP-W,^_
|m)\A
| DXy
|k}l1
|>4QC
|'=4@
|7{P0
|o'pP3x
|n[}
|R-#-
|!|Az
|qBm6
|27|8
|8<b)ga
|P(g"
|:WWh/
|mx=0
|w0E$
|>;P2
|        ;h>
|M<)o
|/KV`
|^iHv
|'a.F
|36WZ
|;7/+'
|o       ,u
|N+xs
|!5%S
|tdY1
|E`lR+E
|?&J[<%?
|sokg
|q]Ml
|oa#[
|w&-h
|8z,|
|)6D$
|fjE0
|ZBGaG
|vzN_
|(j'a;.[
|g/OKW(8
|IL@e
|l.^;='
|0/Jta&
|dq-m
|+-,y
|QCV:aD!
|BBu=E5
|_s_A
|%xqVo
|lk']
|6l_7
|+Kl-
|`[TOG
|?7/&
|S[go4M
|#+3?
|=k>S
|\yd7k
|<n!5
|#76R
|;H3
|s)BG
|Z63zt
|P@T}
|bws)
|j3c(
|^+      K_
|KGo5
|lYOg
|{gOw
|_w7l
|7{/6CK[O
|,;w'o
|+,=/
|(?[4M
|)+Gg
|tC*+
|Gcug
|VX`K
|nU^aJ
|fXX`
|        y_7_
|[}wO
|_6Sp
|CloseHandle;
|/WriteFi
|Crea
|GetModul
|Nam~
|WiAowsDi6ctory
|LoadLibra
|Free
|0ProcAdd
|Pntt
|Tick
|SCurP
|MIxAm
|werB
|ofA PEL
|B`.rd
|X.&'
|Osrc
|wwwwwwwwwwpp
|KERNEL32.DLL
|ADVAPI32.dll
|USER32.dll
|LoadLibraryA
|GetProcAddress
|ExitProcess
|RegCloseKey
|wsprintfA
|
|If any of you already faced this one, please share any comments /
idea
|you may have.
|
|We'll try to submit this to Symantec Virus analysists.
|
|If you need further infos, please let me know.
|
|Thanks in advance !
|Best Regards,
|
|-- 
|#################################################################
|		Kelkoo Security Manager / Networks & Systems Architect

|  JID: portsentry@ims.kelkoo.net / GPG key 1024D/3BFE3FC7 2002-02-07
|		 Office: +(33)04 7629 7163 / Mobile: +(33)06 806 409
62 
|#################################################################
|"Those who desire to give up freedom in order to gain security will
not
|have, nor do they deserve, either one."
|    -- President Thomas Jefferson.    1743-1826
|


[prev in list] [next in list] [prev in thread] [next in thread]