To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
On Wed, 15 Mar 2006, Tron wrote:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> I have a file, rp5.exe, snared by my running instance of nepenthes,
> which is quite obviously compressed via UPX...
>
> upx -l rp5.exe
> Ultimate Packer for eXecutables
> Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
> UPX 1.94 beta Markus Oberhumer, Laszlo Molnar & John Reiser Mar 11th
> 2006
>
> File size Ratio Format Name
> -------------------- ------ ----------- -----------
> 152064 -> 61952 40.74% win32/pe rp5.exe
>
> ... but which I can't decompress...
>
> upx: rp5.exe: Exception: checksum error.
>
> Which is obviously why Norman sandbox stated, for this particular binary..
>
> nepenthes-9291587b85191b06bbf80d4ea1fb142e-rp5.exe : Not detected by
> sandbox (Signature: NO_VIRUS).
>
> Presumably, this means that whoever compressed this binary used an
> altered version of upx?
I am not sure what the case is here, but many different variants of UPX
are out there. You need to trace it and find the real entry point.
Gadi.
>
> See Norman Sandbox reference 20060315-665 for the full (and unhelpful)
> report.
>
> Regards.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFEGF/1BzVUSpB18YoRA6H7AJ0WBPAxFa9QZY3qCXpX/+19HUs+4gCeNdaF
> qatvE1+3grAjB4H13Hr5MMQ=
> =9jpt
> -----END PGP SIGNATURE-----
> _______________________________________________
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> All list and server information are public and available to law enforcement
> upon request.
> http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
>
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
