[Full-Disclosure] New virus
Lorenzo Hernandez Garcia-Hierro
lorenzohgh at nsrg-security.com
Tue Nov 25 13:44:33 GMT 2003
Look this line:
GET /events.php?%s HTTP/1.1
so imagine this:
id=[autonumeric ]&ip=[internet address by gestaddrbyhost]&speed=[connection
this logs the information about an infected host.
/* Written By Adrey Karimov [www.proantivirus.com] */
This can be a bogus data but , that boy is from an antivirus related company
! :) ( who are the virii authors now ? )
Thsi calls the api of microsoft ras and insert the data into a new
This functions are called , so the virus uses the memeroy stack:
strncpy <- *
strstr < - *
And it creates a file with the first data :
It keeps there the data found at SOFTWARE\Microsoft\Internet Account
Other things that the virus do:
Creates a regkey to run it at startup and it copies to some locations.
stores this data ?¿? :
I thin k some info is hardcoded .
The presence of sysdeb32.exe and tmp.exe indicates virus activity.
i don't know which virus is this.
Best regards ,
0x00->Lorenzo Hernandez Garcia-Hierro
0x02->The truth is out there,
0x03-> outside your mind .
4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B
----- Original Message -----
From: "Andrew Thomas" <andrewt at nmh.co.za>
To: "'Full Disclosure'" <full-disclosure at lists.netsys.com>
Sent: Tuesday, November 25, 2003 9:02 AM
Subject: [Full-Disclosure] New virus
> Just to confirm receipt of another email containing the following
> Hello my dear Mary,
> I have been thinking about you all night. I would like to apologize
> for the other night when we made beautiful love and did not use
> condoms. I know this was a mistake and I beg you to forgive me.
> I miss you more than anything, please call me Mary, I need you. Do
> you remember when we were having wild sex in my house? I remember
> it all like it was only yesterday. You said that the pictures
> would not come out good, but you were very wrong, they are great.
> I didn't want to show you the pictures at first, but now I think
> it's time for you to see them. Please look in the attachment and
> you will see what I mean.
> I love you with all my heart, James.
> With attached Private.zip.
> A quick strings (after unpacking) on the file gives
> The original archive is available @ http://afx.alink.co.za/Private.zip
> I don't have the time to take this apart, but some interesting things
> include a call to function "UrlDownloadToFileA", and a bunch of other
> HTTP-style requests.
> Also looks like it may do some kind of speed test and post results
> as well remotely, including IP address of the infected host, as well
> as pulling stuff out like RAS info, pop3 info, etc.
> The host that appears to be called is "finance.red-host.com", with a
> call made to the page "showinfo.php", which returns only
> Error 0x7a2e: Invalid query, database search failed.
> without anything appended.
> There's quite a bit more in here.
> Andrew G. Thomas
> Hobbs & Associates Chartered Accountants (SA)
> (o) +27-(0)21-683-0500
> (f) +27-(0)21-683-0577
> (m) +27-(0)83-318-4070
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure is hosted and sponsored by Secunia.