>From: insecure <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Date: Fri, 25 Jun 2004 12:36:41 -0500 ... >Berbew/Webber/Padodor Trojan, according to Lurhq. > >http://www.lurhq.com/berbew.html
This web page mentions: content:"id=crutop|26|vvpupkin0=" The upload is in an encoded format that consists of records that specify a machine name, a user name, and a web site that includes an HTML form. For example, if the machine name were BINDVIEW-LAB-17, the user name were labuser, and the form were on http://www.example.com/, then the uploaded data would be sent via HTTP POST, and consist of: id=crutop&vvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcs&vvpupkin1=asadaeafbeabanbdaqataeacauad&vvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn The POST data is sent to one of the web sites specified in http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf The data can be decoded with the following perl script: #!/usr/bin/perl use bytes; $i = <STDIN>; chomp($i); @r = split /\&/, $i; for ($i = 0; $i <= $#r; ++$i) { next if ($r[$i] !~ /^vvpupkin/); @p = split /=/, $r[$i]; for ($j = 0; $j < length($p[1]) / 2; ++$j) { $c1 = substr($p[1], 2 * $j, 1); $c2 = substr($p[1], (2 * $j) + 1, 1); $o1 = ord($c1) - ord("a"); $o2 = ord($c2) - ord("a"); print chr(((26 * $o1) + $o2) ^ 113); } print "\n"; } The output of the perl script is: crutop|BINDVIEW-LAB-17 crutop|labuser crutop|http://www.example.com/ FORM_0 Matt Power BindView Corporation, RAZOR Team [EMAIL PROTECTED] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
