Svenskspråkigt spam... (Långt inlägg)
Marcus Strömberg
En "Frida Gillberg" har både i dag och i går skickat mig ett e-brev om
"Räkningen". I det första satt prickarna och ringarna över rätt
vokaler, i det andra saknades de helt.
"Frida" bifogade båda gångerna en zip-fil i breven. Den visade sig
innehålla ett styck exe-fil för Windowssystem:
Rakningen.exe: PE executable for MS Windows (GUI) Intel 80386 32-bit
Rakningen.zip: Zip archive data, at least v2.0 to extract
Den körbara filen är 87 kB stor.
Jag blev lite nyfiken på vad för slags trojan som "Frida" försökte lura
på aningslösa Windowsanvändare. Därför körde jag kommandot "strings"
(som plockar ut ASCII-tecken ur en [kompilerad] binär) på filen. Det
visade sig att det fanns ganska mycket text i den. Går det att läsa ut
vad syftet med "Räkningen" är med hjälp av informationen nedan?
******************
search bar
12:37:14
c:\text.tst
c:\clearsdingdrfive
c:\wop.rep
c:\z.www
No installer*.exe found! exiting...
ERROR_IN_PARAMS_ID
:*:Enabled:
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Another Files - Another file is intended for automatic download pictures and other file attachments from newsgroups. Just select the groups to scan and Another File does the rest. And it saves your bandwidth by remember
Please note that the A-Prompt program itself is very intuitive and includes extensive help files to guide users step-by-step through each repair. To access a help files while you are using the program, select the 'Help' button on the lower left or use 'alt + h' on your keyboard.
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\
Enable Browser Extensions
Main
Internet Explorer
Microsoft
Software
ThreadingModel
apartment
\InprocServer32
CLSID\
AppID\\
z{73364D99-1240-4dff-B11A-67E448373048}
{78364D99-A640-4ddf-B91A-67EFF8373045}
{78364D99-A240-4dff-B11A-67E448373045}
When all potential problems have been resolved, the repaired HTML code is inserted into the document and a new version of the file may be saved to the author's hard drive. After a web page has been checked and repaired by A-Prompt it will be given a WAI Conformance ranking
The tool may be customized to check for different conformance levels, based on the Web Accessibility Initiative (WAI) Web Content Accessibility Guidelines 1.0. If an accessibility problem is detected, A-Prompt displays the necessary dialogs and guides the user to fix the problem. Many repetitive tasks are automated, such as the addition of ALT-text or the replacement of server-side image maps with client-side image maps.
cmpid
worg
forwas
wspopp
A-Prompt allows the author to select a file or for validation and repair, or select a single HTML element within a file
RT_DLL
\ipv6mons.dll
net_insll
SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load
By taking this approach, A-Prompt helps Web authors to include HTML features which widen the range of users who can access their website. As well as providing better access for people with disabilities, the resulting Web pages are generally improved for all people and in a larger variety of circumstances. For example, the inclusion of text alternatives for all images makes it possible to understand Web pages in a low-bandwidth text-only situation.
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Can anyone recommend an able,'ethical' organisation/individual who provides a service to try and crack a unix/linux firewall, and report to us on their The first English groups were Yak Society, who cracked almost every Elite game (remember Frank Bruno's Boxing) and
A-Prompt (Accessibility Prompt) is a software tool designed to help Web authors improve the usability of Web pages created in HTML format. A-Prompt first evaluates an HTML Web page to identify barriers to accessibility by people with disabilities. A-Prompt then provides the Web author with a fast and easy way to make the necessary repairs. The tool's evaluation and repair checklist is based on accessibility guidelines created and maintained by the Web Accessibility Initiative of the World Wide Web Consortium.
Z9T$
B;T$
USh0
D$XG
D$D0
D$9~
D$0d
D$XG
D$D0
D$9~
D$0d
SUVWj
=;-
=;-
L$(_^][d
h /@
VVh<
@SVW3
PSh?
SSSh
@PVj
_^[d
jdVh
djQX
VVh<
dj\X
YY_^[
_[^]
SVW3
Php0@
SUVW
D$`G
D$L0
D$A~
D$8djPY
RRh<
D$$P
D$ h
D$,P
D$ Pj
D$(3
D$$j
D$`G
D$L0
D$A~
D$8djYX
Y9L$
RRh<
URh?
RRRPQ
D$$j
VVh<
VVVQ
VVh<
QSh?
SSSPV
h,D@
dj^X
SVWQ3
djwX
SSh<
QSWSSSPh
QSWSSSPh
SSh<
QSWSSSPh
@PWj
@PWj
SSh<
=@8.
@PVj
SVWhX
u j.
PhUa@
h@ @
hlZ@
hSVW
hhZ@
>"u:F
XPVSS
MFC42.DLL
__CxxFrameHandler
_mbscmp
strcmp
rand
time
_ftol
memcpy
strcpy
memset
MSVCRT.dll
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
Sleep
DeleteFileA
CopyFileA
GetUserDefaultLangID
GetSystemDirectoryA
GetModuleFileNameA
LoadResource
SizeofResource
FindResourceA
lstrlenA
GetWindowsDirectoryA
ResumeThread
CreateThread
GetModuleHandleA
GetStartupInfoA
KERNEL32.dll
GetParent
PostMessageA
IsWindow
USER32.dll
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA
ADVAPI32.dll
StringFromGUID2
CoCreateGuid
ole32.dll
SHDeleteKeyA
SHLWAPI.dll
_setmbcp
!This program cannot be run in DOS mode.
ztj!qt7
%~t6
%qt2
#~t5
ztRich4
UPX0
UPX1
.rsrc
1.25
UPX!
|lZN8
bVH<&
ij`XPF
@P\n
\L>0,
A|S3
L`M?W
4Msi
nother Files -
intended
automati
c downloa
tur:a%m
l :%tachm;t
fr5 newsg
ups. Just s
e&; 2
9`(ht>A
y:%b2wid"
vs[ y$vmb;
Tassimn
mThJBr
ngjP
pa so:}
0123456789ABCDEF3
0+ePc
o":37:05
.c:\t
~mkb
cl/sd
p+z.w
?al<
-'ab
t:bl
Refe
t-Ty
pe:*l!
m-vr
O%D,3
;#?=
="//7=:"/
6~;f;!a
w;ru
[0lS
h;html
ft';Bb
%s([
[chk
MnSd
submi
agut,|
;t|404 N
POST
&r=%O
HTML
Ftpnmm
FkGA
CStM
55az+
/MSNzjign
9819c52
ifaOu+k
5e7eI00Gwl OE
220d5
C$tC
=BzCt
}4KBlP/c
A-sp
5<mr
(a\ib
\U^Y
6CThl
EzkR,
]6,
@k'Q
y](R
`,'p
l'ig
uewh
u>x/
ocBK,
9fe U e
nBro'MBox
sATRC
Pd'Ka
1-<<.
h\EB
(CAMO)`t
%h-7
31<3
09Ke+-b
(1`y
l>Sg
?#sY
e$llP
gi#X0
5z431
3tAh,4
m[bg R
i#B$
e:d$
arbdz
dc`n
p[TAP)
!$bU.S
Ri(NIDRR)B
St;y{F
&[m;m
kvd%
F>5i
svc+
&'^4#
[=\[<PUP] =
SKIPPED
$k:k
#$t.
2&#S[BC
Mik]
E{bl!r
%.2f
tr!j
+Cuk
ro?u
{/7`;j
vzndT
ZpszwC
fai0
*pNu
H8*7
l4e'n*0B6
#VCum
7\8.E;
1 7nS
kEs`
Bk15
="#-
'FF5A
funz
Fc+ #
lY#W5"
m&d'
}*,wr`A"
0odi
s(7mX}
@l[qjoy
g8#lf
q%z_m
zTKy=
OF}V,
TWARE
_0]w
mNWn
^weQm
=FORM
,D/e
unK *
ISAPI
[F*`GA^q:uwtZ
kMgu
;~o6)
"]O$l
U,=Ps
bI g
Szxc_/
c{XO
,HB8L
Fa_/
yOez
/hsDX&H5
J/9kRP
@|t;i
&lg3
.LA+
/A:SvS
%SYSTEMROOT%
|GRAM
LES%
u1.)W
+>B%u
dLgO6
`q ur
0wp.
@Qm6t
.?AV_
r@@7
'gE#
CY0aE
*BZv
Y~cB
Pjo
/P0V
%uV7bY
#}"b
t K8L
7`4[q
EY1M
}~tdjeX
k[\SO~
4VQ(
_B^q^Z9T
'|`]
j.f13`
<QSV
1CkP4
$7of
)8Y|
"xjzv
(KL~
!c@^1l
.t,u
t\\/
j P.
_[^]
:aW+
,lY$
c#@~
QWh?
Trl`G
G%4
"N#
K:5` #a([
SD2l
#{u<}6Z3
HbRl6
Z`|
Z5{oj _
6SHF&
h7 VQT
Qa0$
GV[Q
s0!c
"_fA
f=82[
a $Y
R`S_C
Sb$h
yQ,`
H-O=
4####
o$ik
^RP]\
,EV4
!<[S
QD u
SFcf
Xe:&
(u U
J8Q$v
Yn}q
u%pJ
Y:\pm
af`%
AX >!
8 )}
W97:\
>#,O!:
!zxEK
Brm8
8,1;<
&A<Sh.
t$SS
0`}e
P<+
c\HQ
F9QP#,
G-:Q]
&j^IP
Aq.~
}]j*
Q}O.
Fzt;:
\q)p
/x_.
p1,2
Zu<V
~.!`
C;_&,h:k
hfqD
u&x9
@!t%
l=82`
fk4P
;unHf#
<'t~<"tzQ
2YRga,
*u,`
oB%
(HG}
Y\r t
SD x
.vRB
7`Hl{tR
n#@,)
`t X
"ru}
d4S{
p5Z\
t!Jl
$CMn
/ 2igh
=~4d
T$
Cd!Z
e(Sg
$$6r
dJHD
E6J4
Z_zWU6
0s3wG
M8Hu
<NRE
`>tT$2
*8US^
EaHH
fP\v&
azD:uk
PD3A
8YYh5
QO.il
0B/ "O
E0-BW
ND(Fb
5|8f
Y y, F2a
W(La#$
YxN2
f9<tl
@4!O
"U=E
#j*hKW
/ &\`(
_[JW
J7VuLd*
a<H|Gw|SoV
BFb@
o`@pn
Y, x9
,0rFA
F;y|
v Jqg
DHnP]
<+EQ
6tGQ
Jj%,[a
<o(S
RCcP
?POv
vtOVi
qj%x
;#[!E
2 PK
T%NF
l*Y~
$tA<
-t9Y<
4|h>
PISYUdH
p<tsY
8^(t
Vnms
]s0.
NNNN
gFN
9@X
PRh(
wKK
PSDH
w= u
?(i>
PB,lb
2"P$4
6v PUB
0
M!y
Db,E
d$*<
.!82'
,VPX
t{3^
)cq"n
(xgp@
^fp=PQj
Vy3
#BC$
F=8B
ba)K)~
<j/@}
!2H8
Up;0,
C\R
EO8U
S$G
M"Vr
h|@>.
l3DX
8_!4
DPjL
QM.a
gVi>
hP q
B8a5=u`$
~EtH
Z+F#
o0pj2
@d4]
S4P)
,}((
g#.dFFb
1ZR]
JH%U
9IYH CQ28iN2
,Ci8
2&Cn
VDjL
#+)#
qmAB
Z^e
V{8(
@}H
XhP#
s43~{
ABB
PW&|d
VVE_
7fL(
jj#]A{
PvYY|
h@tc_}
[GFF;
h$43
&1&-
Ve5;
"ucW
&`YQ
t6jT
#P}'P
j/`D
1==L
La2=
kOPP
fDr$
P<9"
HPW$t
F <#
f;_7[!A"
jZbU
|SJ@$:
G j
ZW;:;V
Q? I
t}jEo
mCH}
;D)LV
#|Fn
gdE<
6HZ$;
xxH(
"Xz0
F" o
&,@C
@ RP
1Qq
y .1
! O,
Y<IB
E1Zt
HG%E
PYp0PX
.;"'
\re4
+'&@
*K>N
#hHt
|t@L.
J2H(
b+`B
k6T2
g5,@
hoCj@3 j
137g
pW`u
Qq [
iVP]`
s y
B r=
5()&
| Ue
Xc7f4f&
+{tC
4Y>P
l5$u(
n@""j
%tD#
W PqH
O+hyx
oGh
JqPl3
GD'4P
]j:T
j;j&)
kX<tf
bYj,
^Itad
qF<A0
N9G)\R
Cf(P
ttHKUI@
8TD3(
GPfV
s0"2
ANJ@
ch1
$+&>
eahM
'K_/qYe+
QW!-
ap p*`)~
SM#t
q7Y>np
`8#B
d'zx
t7AC
A r%
Me,U
3U',
b6fQ{
:t
GSV|
KBP.
.O0I
,A,
d\YFQ
.5SG
S#u"
b@lK
%DFN
lFR)
V4<Mk
]ct<
.i6#
WCjy~
]Zug
0gddd
@|/8
.uZP
W t!?
d@&J
[7R@&
Z4L2
~j.j,
&dB~
exSV
KVQE%
,j.b
yC>4:
VB)d
4Mu7
r#G,z9
9]PuH
`u/#&
,O"c
VQxp
zEq
Va%0k
U*[%:
pX,b
xS2U
JHe;
ID0!
bDRUJ
@5WXA
f9Q,
-DB@.
X l3
&$DP%
CN&`'4
DP-D
AN,<+
,V Y
A8XR
,0 EZ
rr uZU$
d9r:
}ANB
bw.FB;Q@
DEv]
7't;
LJ\I
Kd@&
3N8rO
L2%PD
RtYT-
U,!
`M [
LY$^]
`arb}
vQBg
SVwi
""L!
!``Vb
|]Ro
S]lW*&M
j$t)
o2W.8p
LH1!#on
UMlj
u18l9i
;V'dx
d3@Spy
9{ |,
MTM~
lv`D'
,gE_
1:W)
uLj;Ap
w{Oh
(tlF
&PB\l
#-GvF
A>3d#
UP!#"m
$H2
LDTT|<
,P!(
(n#!
@*(!
Hk
BNI7
mvOx6<
C0 P*
$j{U.]
LbCT
#@})
(5P,#
f'AU
hHSB
tGPV
+ _A`k
e@MV
<,
>LJt
>w"W
GoLOBa`E
G9=q
V#q<
asFE
WYj@
8]b<
>j?"
4##h
V@@M|s
D 9I
#8QRT2
NT95
q&,dO
8)H
ulR&|
ePM)W'
m&"VAI
&$9W
{Dzo
NFP@
,! >
RDL
I(^3
$D P
H /~dE1
XMDd
=8})lY()
*{h?
@#Yj;
<8!d !
"M.b
[uU(4
5 V$t
Y Uo$Lr%
&*lH|
8 '#
,UcA
YlF~C
|Q#e+$n0
bY((
ti~&`zE
4,K(+U
f+K%)
`2Rw
<#$S
2"%_Q
a<4
YR,Nr'<E
^u$Z
Y"jV@}
Y j,
/6?]
@$XO
ddS#
VS,s
x (
p&C8]R
:CAP
qH@<
!mC+E
U1%@
b@"e
I7@~
|H&#
H.Q#
B>(b
5SQM
hr*%
$ML|
a`F&
$KHU
%&.
X1(t
G6# $
,X;6 y
GOtW
aH,l
"Dg6<
*i~0p
"'p&
>!d(a
$C 6
XqbCD,
r '@
i~ \
))08
Aw"bS
*i~ 0
lIUT
1 A2
1Tre
(mgX D
TE.T
l*&y
0,FFF
$(48
<@DH
LPTX
FFF>
FFFF
FFFF
FFFF
|FFFFxtplyFFFhd`
jD;AQa
n+,(
8csm
4Cr@
uo (
=c9&
0^!V
7fu
7WP#
[X&4
Fht(]r
Z&-9
Bt)"
o^76
Xg-a
|#cB
7;63
-{nO
V#di
^!}#D`
rlo&H
M#k'
#,k$
!;,$}
Q5cH
9 ,!
,xx!9
K- sA
pt d l
XF_M
aC{0
%K$x0
VVHv
QR!W
+4@B
.yz!
2:9
:,HW
lLH.
<DP4b
Y@`2
OH{z#c
T@P!
oe"g
jB'B
J(W"
HNx4
O2`G
'@d'
O^a/ 8
<'O\
%0?N
9yNl
p/'8
'O~
4qIO
?O)(
dtIw+
9X`W-@G99
9yr'
A/2N
K!/i
w2x'
(08/
@HPg3
,4 \
4`;G
go&w
OK!/
08@H
'PXg7p
{I'
HNh?
RZrr
'\!g"r#
,}-r)
3 ;+3
'6=>>I?O
T@_jBrCr
-5['O
_]`eam
ru}d
2x=yHzy
S{^|f}q~'O
cksd
@H7B o
/rv
d08@
P(0v
$dGo7
<!D"L#'O
<T$\%d&ld
ANv;
DVFLEP
RO32.DLL
r#f~
CMcIl$
alFreeFindF
MulDiv
7ExA
CeInfoA
OErrorlYrcmpo%
Library
pynA
atA
ad+]
PLcA
>tiBy
ToWideChas
xDecr&
ResumFD
SDqD
Siz
;Opb
d.EMod
(ZYUC
r1fa
LKgIDc
g[Key
uIyV
6"So b
EnF<w
g"*N
3S/-4[
ulcHbj
GA1B
'Sol
BrushCtT
mY]l
@@YAX
Fp+hk
pqf"
._FAq??1
JH_oip
_Cxx
putscv
boGkl
Iiiy
M)*Lc|BoxW
Is"7
]Alp
%E1D
bsRQ
%Ht<+
qWQ8
!UxAW
%Ns\
63^+
I0W
|x&(
0n4!
CvTF
sUv)
U?* 3
B#R,$
(so+
UcE#z
&GXZ
?4 #
KN-n
l|lS
wrBA
.4\B
:cQ-1
}W;!n
DV5K
jvO6m8 4
_;N<9
X_!N
0Bc0%
5FB.
U914
2JID
] dSTb
_&JL1
5,3h
Cu[kl
N.-u4
m*J7
'=^7((;-vl
'D =C
oXxa
.!Gg
kg%J5
D"0Z
/T=9n?^
03o&
9#/F
.H)^F8
Ww?yR^w
_"_G
:e$"
jOX7
u$9F
Kb--
=P0?
[a(0
,|U4
EU3={
4;=L
C9CD
1uT<
.rsrcB6
Fmn@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<noInherit/>
<assemblyIdentity
processorArchitecture="*"
type="win32"
name="MyOfficeNetAddin"
version="1.0.0.0"/>
<description>My Office Addin built with .Net</description>
<dependency optional="yes">
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.1.0"
publicKeyToken="6595b64144ccf1df"
language="*"
processorArchitecture="*"/>
</dependentAssembly>
</dependency>
</assembly>
KERNEL32.DLL
ADVAPI32.dll
CRYPT32.dll
GDI32.dll
MFC42.DLL
MSVCRT.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
RegCloseKey
CertCloseStore
BitBlt
atoi
CoInitialize
ShellExecuteA
SHDeleteKeyA
GetDC
FtpOpenFileA
agent_dq.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
--
Marcus
Daniel Berglund
> En "Frida Gillberg" har både i dag och i går skickat mig ett e-brev om
> "Räkningen". I det första satt prickarna och ringarna över rätt
> vokaler, i det andra saknades de helt.
http://www.f-secure.com/v-descs/haxdoor_ki.shtml
Finns i ett par olika varianter verkar det som. Jag fick ett i förrgår
som F-Secure inte detekterade.
--
Daniel Berglund
* Brysselkål är ondska *
Marcus Strömberg
Thu, 31 Aug 2006 17:59:19 +0000 skrev Daniel Berglund:
> Finns i ett par olika varianter verkar det som. Jag fick ett i förrgår
> som F-Secure inte detekterade.
Ganska mycket funktionalitet som programmeraren lyckats klämma in i en
exe-fil som inte är större än 87 kB! Säga vad man vill om skaparna av
trojaner, men deras kreationer är i varje fall ingen bloatware...
--
Marcus
torbjorn.ekstrom
bah, ABC80 hade en hel basictolk med editor (nåja...) och prekompilering
på 16 kB, mince (strippad emacsklon) låg på mindre än 32 kb i CP/M och
dom skötte sig helt själva utan att använda några tunga OS-miljöers kod
och resurser (dom var i princip OS-miljön själva), som jag gissar
ovanstående virus utnyttjar till fulländning. ;-) :-)
Med tanke på vad som gick fram med strings så fanns det en hel del kvar
att städa om man verkligen ville trycka ihop koden.