[Dshield] list Digest, Vol 59, Issue 11
peggy kannaday
pkannaday at gmail.com
Mon Nov 26 20:59:43 GMT 2007
Dear Friends,
I have indigenous hackers on my computer. Could you look at the attached
file?
I know that you may never receive it, and I also know that any answer that I
receive
may be a counterfeit, but sa la vie.
Thank you if you get this e-mail.
Peggy
On Nov 26, 2007 7:00 AM, <list-request at lists.dshield.org> wrote:
> Send list mailing list submissions to
> list at lists.dshield.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.sans.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
> list-request at lists.dshield.org
>
> You can reach the person managing the list at
> list-owner at lists.dshield.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of list digest..."
>
> Today's Topics:
>
> 1. Re: suspiroamor.land.ru trojan (Bijendra Singh)
> 2. Re: suspiroamor.land.ru trojan (Tony Earnshaw)
> 3. Re: suspiroamor.land.ru trojan (Stasiniewicz, Adam)
>
>
> ---------- Forwarded message ----------
> From: "Bijendra Singh" <bijendra at gmail.com>
> To: "General DShield Discussion List" <list at lists.dshield.org>
> Date: Sun, 25 Nov 2007 15:38:34 -0600
> Subject: Re: [Dshield] suspiroamor.land.ru trojan
> Yahoo email scanner says that zip file contains Downloader.Brancos virus.
>
>
> Virus "Downloader.Bancos" found
>
>
> -Bijendra
>
> On Nov 24, 2007 10:17 PM, jayjwa <jayjwa at atr2.ath.cx> wrote:
> >
> >
> > (Possibly) new trojans. These came from a link spammed out in email
> > that ended up in my Hotmail inbox. The files are win32 PE's, with some
> > interesting strings embedded in them. One of the files appears to be a
> > server of some sort with smtp ability. There's also alot of calls to
> > graphics routines, so maybe one of the files is a client or user
> > interface of some type. Written in Delphi, downloaded from
> > suspiroamor.land.ru, root directory.
> >
> > amor.com: The only file linked in the email. Probably downloads/exec
> others.
> >
> > Interesting strings:
> >
> > taskkill -f /im gbpsv.exe
> > C:\Arquivos de programas\GbPlugin\gbieh.dll
> > C:\Arquivos de programas\GbPlugin\gbieh.gmd
> > C:\windows\Crime.exe
> > C:\WINDOWS\system32\WormList.exe
> > URLDownloadToFileA
> > shell32.dll
> > ShellExecuteA
> >
> > derby.com: Referenced in the above file.
> >
> > javas.com: Same. Contains an email template, lots of calls to Winsock.
> >
> > Interesting hardcoded strings:
> >
> > msnlist.txt
> > dadospen at gmail.com
> > Lista MSN (
> > gsmtp185.google.com
> >
> > hsResolving
> > hsConnecting
> > hsConnected
> > hsDisconnecting
> > hsDisconnected
> > hsStatusText
> > ftpTransfer
> > ftpReady
> > ftpAborted
> > IdComponent
> > TIdStatusEvent
> > ASender
> >
> > Indy 9.00.10
> > X-Library
> >
> > * About to connect() to suspiroamor.land.ru port 80 (#0)
> > * Trying 82.204.219.223... connected
> > * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
> > > GET /javas.com HTTP/1.1
> > > User-Agent: from Russia with love?
> > > Host: suspiroamor.land.ru
> > > Accept: */*
> > >
> > < HTTP/1.1 200 OK
> > < Server: nginx/0.5.31
> > < Date: Sun, 25 Nov 2007 03:09:45 GMT
> > < Content-Type: application/octet-stream
> > < Content-Length: 523264
> > < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
> > < Connection: keep-alive
> > < Accept-Ranges: bytes
> > <
> > { [data not shown]
> >
> >
> > The signature/data files are a bit old (Nov. 9) but F-prot had this to
> say:
> >
> > amor.com Infection: Possibly a new variant of
> W32/NewMalware-LSU-based!Maximus
> >
> > Available as downloaded above, or local copies together in a zip for
> > anyone that wants to look at them:
> >
> >
> https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspiroamor-land-ru-trojan.zip
> >
> > Useful tool to examine binaries:
> > http://hte.sourceforge.net/
> >
> > _________________________________________
> > SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> > SANS top instructors. http://www.sans.org/info/9346
> >
>
>
>
> ---------- Forwarded message ----------
> From: Tony Earnshaw <tonni at hetnet.nl>
> To: General DShield Discussion List <list at lists.dshield.org>
> Date: Sun, 25 Nov 2007 22:58:45 +0100
> Subject: Re: [Dshield] suspiroamor.land.ru trojan
> Bijendra Singh skrev, on 25-11-2007 22:38:
>
> > Yahoo email scanner says that zip file contains Downloader.Brancosvirus.
> > Virus "Downloader.Bancos" found
>
> And Bit Defender (BDC) under amavisd-new on Postfix 2.4.6 that unpacks
> it two trojans, Trojan.Spy.Delf.SI, Trojan.Downloader.Delf.OBN.
>
> Clamscan/clamd under amavisd-new didn't find anything, I submitted it to
> the ClamAV site.
>
> --Tonni
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
>
>
>
> ---------- Forwarded message ----------
> From: "Stasiniewicz, Adam" <stasinia at msoe.edu>
> To: "'General DShield Discussion List'" <list at lists.dshield.org>
> Date: Sun, 25 Nov 2007 16:54:35 -0600
> Subject: Re: [Dshield] suspiroamor.land.ru trojan
> Whenever I come across a suspicious file I upload it to www.virustotal.com
> .
> In addition to running the file against basically ever major AV, they will
> also submit the file to every AV vendor that did not get a hit on the
> file.
> Here are the results (as of a few minutes ago):
>
>
>
> AhnLab-V3 2007.11.24.0 2007.11.23 -
> AntiVir 7.6.0.34 2007.11.25 TR/PSW.Delf.KI.152
> Authentium 4.93.8 2007.11.24 Possibly a new variant of
> W32/NewMalware-LSU-based!Maximus
> Avast 4.7.1074.0 2007.11.25 -
> AVG 7.5.0.503 2007.11.25 PSW.Generic5.YJD
> BitDefender 7.2 2007.11.25 Trojan.Spy.Delf.SI
> CAT-QuickHeal 9.00 2007.11.24 -
> ClamAV 0.91.2 2007.11.25 -
> DrWeb 4.44.0.09170 2007.11.25 -
> eSafe 7.0.15.0 2007.11.21 -
> eTrust-Vet 31.3.5324 2007.11.24 -
> Ewido 4.0 2007.11.25 -
> FileAdvisor 1 2007.11.25 -
> Fortinet 3.14.0.0 2007.11.25 Spy/Banker
> F-Prot 4.4.2.54 2007.11.25 W32/NewMalware-LSU-based!Maximus
> F-Secure 6.70.13030.0 2007.11.25 Trojan-PSW.Win32.Delf.ki
> Ikarus T3.1.1.12 2007.11.25 Trojan-Spy.Banker.5858
> Kaspersky 7.0.0.125 2007.11.25 Trojan-PSW.Win32.Delf.ki
> McAfee 5170 2007.11.23 PWS-Banker.gen.i
> Microsoft 1.3007 2007.11.25 PWS:Win32/Delf.KI
> NOD32v2 2684 2007.11.25 a variant of Win32/TrojanDownloader.Dadobra.IA
> Norman 5.80.02 2007.11.23 W32/Downloader
> Panda 9.0.0.4 2007.11.25 Suspicious file
> Prevx1 V2 2007.11.25 SPYWARE.DELF.SI
> Rising 20.19.61.00 2007.11.25 Trojan.Spy.Win32.Delf.vu
> Sophos 4.23.0 2007.11.25 Mal/DelpDldr-C
> Sunbelt 2.2.907.0 2007.11.24 -
> Symantec 10 2007.11.25 Downloader.Bancos
> TheHacker 6.2.9.141 2007.11.24 -
> VBA32 3.12.2.5 2007.11.23 Trojan.PWS.Banker.10307
> VirusBuster 4.3.26:9 2007.11.25 -
> Webwasher-Gateway 6.0.1 2007.11.25 Trojan.PSW.Delf.KI.152
>
>
> Regards,
> Adam Stasiniewicz
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:
> list-bounces at lists.dshield.org]
> On Behalf Of Tony Earnshaw
> Sent: Sunday, November 25, 2007 3:59 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] suspiroamor.land.ru trojan
>
> Bijendra Singh skrev, on 25-11-2007 22:38:
>
> > Yahoo email scanner says that zip file contains Downloader.Brancosvirus.
> > Virus "Downloader.Bancos" found
>
> And Bit Defender (BDC) under amavisd-new on Postfix 2.4.6 that unpacks
> it two trojans, Trojan.Spy.Delf.SI, Trojan.Downloader.Delf.OBN.
>
> Clamscan/clamd under amavisd-new didn't find anything, I submitted it to
> the ClamAV site.
>
> --Tonni
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
> SANS top instructors. http://www.sans.org/info/9346
>
> _______________________________________________
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log file.TXT
Url: http://lists.sans.org/pipermail/list/attachments/20071126/2df36edb/attachment.bat
More information about the list
mailing list