[Dshield] suspiroamor.land.ru trojan

Bijendra Singh bijendra at gmail.com
Sun Nov 25 21:38:34 GMT 2007 

Yahoo email scanner says that zip file contains Downloader.Brancos virus.


Virus "Downloader.Bancos" found


-Bijendra

On Nov 24, 2007 10:17 PM, jayjwa <jayjwa at atr2.ath.cx> wrote:
>
>
> (Possibly) new trojans. These came from a link spammed out in email
> that ended up in my Hotmail inbox. The files are win32 PE's, with some
> interesting strings embedded in them. One of the files appears to be a
> server of some sort with smtp ability. There's also alot of calls to
> graphics routines, so maybe one of the files is a client or user
> interface of some type. Written in Delphi, downloaded from
> suspiroamor.land.ru, root directory.
>
> amor.com: The only file linked in the email. Probably downloads/exec others.
>
> Interesting strings:
>
>            taskkill -f /im gbpsv.exe
>            C:\Arquivos de programas\GbPlugin\gbieh.dll
>            C:\Arquivos de programas\GbPlugin\gbieh.gmd
>            C:\windows\Crime.exe
>            C:\WINDOWS\system32\WormList.exe
>            URLDownloadToFileA
>            shell32.dll
>            ShellExecuteA
>
> derby.com: Referenced in the above file.
>
> javas.com: Same. Contains an email template, lots of calls to Winsock.
>
> Interesting hardcoded strings:
>
>           msnlist.txt
>           dadospen at gmail.com
>           Lista MSN (
>           gsmtp185.google.com
>
>           hsResolving
>           hsConnecting
>           hsConnected
>           hsDisconnecting
>           hsDisconnected
>           hsStatusText
>           ftpTransfer
>           ftpReady
>           ftpAborted
>           IdComponent
>           TIdStatusEvent
>           ASender
>
>           Indy 9.00.10
>           X-Library
>
> * About to connect() to suspiroamor.land.ru port 80 (#0)
> *   Trying 82.204.219.223... connected
> * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
> > GET /javas.com HTTP/1.1
> > User-Agent: from Russia with love?
> > Host: suspiroamor.land.ru
> > Accept: */*
> >
> < HTTP/1.1 200 OK
> < Server: nginx/0.5.31
> < Date: Sun, 25 Nov 2007 03:09:45 GMT
> < Content-Type: application/octet-stream
> < Content-Length: 523264
> < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
> < Connection: keep-alive
> < Accept-Ranges: bytes
> <
> { [data not shown]
>
>
> The signature/data files are a bit old (Nov. 9) but F-prot had this to say:
>
> amor.com  Infection: Possibly a new variant of W32/NewMalware-LSU-based!Maximus
>
> Available as downloaded above, or local copies together in a zip for
> anyone that wants to look at them:
>
> https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspiroamor-land-ru-trojan.zip
>
> Useful tool to examine binaries:
> http://hte.sourceforge.net/
>
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors.  http://www.sans.org/info/9346
>

More information about the list mailing list