To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- On Wed, 15 Mar 2006, Tron wrote: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > I have a file, rp5.exe, snared by my running instance of nepenthes, > which is quite obviously compressed via UPX... > > upx -l rp5.exe > Ultimate Packer for eXecutables > Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006 > UPX 1.94 beta Markus Oberhumer, Laszlo Molnar & John Reiser Mar 11th > 2006 > > File size Ratio Format Name > -------------------- ------ ----------- ----------- > 152064 -> 61952 40.74% win32/pe rp5.exe > > ... but which I can't decompress... > > upx: rp5.exe: Exception: checksum error. > > Which is obviously why Norman sandbox stated, for this particular binary.. > > nepenthes-9291587b85191b06bbf80d4ea1fb142e-rp5.exe : Not detected by > sandbox (Signature: NO_VIRUS). > > Presumably, this means that whoever compressed this binary used an > altered version of upx?
I am not sure what the case is here, but many different variants of UPX are out there. You need to trace it and find the real entry point. Gadi. > > See Norman Sandbox reference 20060315-665 for the full (and unhelpful) > report. > > Regards. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iD8DBQFEGF/1BzVUSpB18YoRA6H7AJ0WBPAxFa9QZY3qCXpX/+19HUs+4gCeNdaF > qatvE1+3grAjB4H13Hr5MMQ= > =9jpt > -----END PGP SIGNATURE----- > _______________________________________________ > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > All list and server information are public and available to law enforcement > upon request. > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets > _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets