[Dshield] Ad-Aware Log
CunningPike
cunningpike at gmail.com
Tue Nov 27 04:21:12 GMT 2007
What is your question?
CP
peggy kannaday wrote:
> Dear Friends,
>
> I have indigenous hackers on my computer. Could you look at the attached
> file?
>
> I know that you may never receive it, and I also know that any answer that I
> receive
> may be a counterfeit, but sa la vie.
>
> Thank you if you get this e-mail.
>
> Peggy
>
> On Nov 26, 2007 7:00 AM, <list-request at lists.dshield.org> wrote:
>
>> Send list mailing list submissions to
>> list at lists.dshield.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.sans.org/mailman/listinfo/list
>> or, via email, send a message with subject or body 'help' to
>> list-request at lists.dshield.org
>>
>> You can reach the person managing the list at
>> list-owner at lists.dshield.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of list digest..."
>>
>> Today's Topics:
>>
>> 1. Re: suspiroamor.land.ru trojan (Bijendra Singh)
>> 2. Re: suspiroamor.land.ru trojan (Tony Earnshaw)
>> 3. Re: suspiroamor.land.ru trojan (Stasiniewicz, Adam)
>>
>>
>> ---------- Forwarded message ----------
>> From: "Bijendra Singh" <bijendra at gmail.com>
>> To: "General DShield Discussion List" <list at lists.dshield.org>
>> Date: Sun, 25 Nov 2007 15:38:34 -0600
>> Subject: Re: [Dshield] suspiroamor.land.ru trojan
>> Yahoo email scanner says that zip file contains Downloader.Brancos virus.
>>
>>
>> Virus "Downloader.Bancos" found
>>
>>
>> -Bijendra
>>
>> On Nov 24, 2007 10:17 PM, jayjwa <jayjwa at atr2.ath.cx> wrote:
>>>
>>> (Possibly) new trojans. These came from a link spammed out in email
>>> that ended up in my Hotmail inbox. The files are win32 PE's, with some
>>> interesting strings embedded in them. One of the files appears to be a
>>> server of some sort with smtp ability. There's also alot of calls to
>>> graphics routines, so maybe one of the files is a client or user
>>> interface of some type. Written in Delphi, downloaded from
>>> suspiroamor.land.ru, root directory.
>>>
>>> amor.com: The only file linked in the email. Probably downloads/exec
>> others.
>>> Interesting strings:
>>>
>>> taskkill -f /im gbpsv.exe
>>> C:\Arquivos de programas\GbPlugin\gbieh.dll
>>> C:\Arquivos de programas\GbPlugin\gbieh.gmd
>>> C:\windows\Crime.exe
>>> C:\WINDOWS\system32\WormList.exe
>>> URLDownloadToFileA
>>> shell32.dll
>>> ShellExecuteA
>>>
>>> derby.com: Referenced in the above file.
>>>
>>> javas.com: Same. Contains an email template, lots of calls to Winsock.
>>>
>>> Interesting hardcoded strings:
>>>
>>> msnlist.txt
>>> dadospen at gmail.com
>>> Lista MSN (
>>> gsmtp185.google.com
>>>
>>> hsResolving
>>> hsConnecting
>>> hsConnected
>>> hsDisconnecting
>>> hsDisconnected
>>> hsStatusText
>>> ftpTransfer
>>> ftpReady
>>> ftpAborted
>>> IdComponent
>>> TIdStatusEvent
>>> ASender
>>>
>>> Indy 9.00.10
>>> X-Library
>>>
>>> * About to connect() to suspiroamor.land.ru port 80 (#0)
>>> * Trying 82.204.219.223... connected
>>> * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
>>>> GET /javas.com HTTP/1.1
>>>> User-Agent: from Russia with love?
>>>> Host: suspiroamor.land.ru
>>>> Accept: */*
>>>>
>>> < HTTP/1.1 200 OK
>>> < Server: nginx/0.5.31
>>> < Date: Sun, 25 Nov 2007 03:09:45 GMT
>>> < Content-Type: application/octet-stream
>>> < Content-Length: 523264
>>> < Last-Modified: Fri, 23 Nov 2007 22:31:24 GMT
>>> < Connection: keep-alive
>>> < Accept-Ranges: bytes
>>> <
>>> { [data not shown]
>>>
>>>
>>> The signature/data files are a bit old (Nov. 9) but F-prot had this to
>> say:
>>> amor.com Infection: Possibly a new variant of
>> W32/NewMalware-LSU-based!Maximus
>>> Available as downloaded above, or local copies together in a zip for
>>> anyone that wants to look at them:
>>>
>>>
>> https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/suspiroamor-land-ru-trojan.zip
>>> Useful tool to examine binaries:
>>> http://hte.sourceforge.net/
>>>
>>> _________________________________________
>>> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>>> SANS top instructors. http://www.sans.org/info/9346
>>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Tony Earnshaw <tonni at hetnet.nl>
>> To: General DShield Discussion List <list at lists.dshield.org>
>> Date: Sun, 25 Nov 2007 22:58:45 +0100
>> Subject: Re: [Dshield] suspiroamor.land.ru trojan
>> Bijendra Singh skrev, on 25-11-2007 22:38:
>>
>>> Yahoo email scanner says that zip file contains Downloader.Brancosvirus.
>>> Virus "Downloader.Bancos" found
>> And Bit Defender (BDC) under amavisd-new on Postfix 2.4.6 that unpacks
>> it two trojans, Trojan.Spy.Delf.SI, Trojan.Downloader.Delf.OBN.
>>
>> Clamscan/clamd under amavisd-new didn't find anything, I submitted it to
>> the ClamAV site.
>>
>> --Tonni
>>
>> --
>> Tony Earnshaw
>> Email: tonni at hetnet dot nl
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: "Stasiniewicz, Adam" <stasinia at msoe.edu>
>> To: "'General DShield Discussion List'" <list at lists.dshield.org>
>> Date: Sun, 25 Nov 2007 16:54:35 -0600
>> Subject: Re: [Dshield] suspiroamor.land.ru trojan
>> Whenever I come across a suspicious file I upload it to www.virustotal.com
>> .
>> In addition to running the file against basically ever major AV, they will
>> also submit the file to every AV vendor that did not get a hit on the
>> file.
>> Here are the results (as of a few minutes ago):
>>
>>
>>
>> AhnLab-V3 2007.11.24.0 2007.11.23 -
>> AntiVir 7.6.0.34 2007.11.25 TR/PSW.Delf.KI.152
>> Authentium 4.93.8 2007.11.24 Possibly a new variant of
>> W32/NewMalware-LSU-based!Maximus
>> Avast 4.7.1074.0 2007.11.25 -
>> AVG 7.5.0.503 2007.11.25 PSW.Generic5.YJD
>> BitDefender 7.2 2007.11.25 Trojan.Spy.Delf.SI
>> CAT-QuickHeal 9.00 2007.11.24 -
>> ClamAV 0.91.2 2007.11.25 -
>> DrWeb 4.44.0.09170 2007.11.25 -
>> eSafe 7.0.15.0 2007.11.21 -
>> eTrust-Vet 31.3.5324 2007.11.24 -
>> Ewido 4.0 2007.11.25 -
>> FileAdvisor 1 2007.11.25 -
>> Fortinet 3.14.0.0 2007.11.25 Spy/Banker
>> F-Prot 4.4.2.54 2007.11.25 W32/NewMalware-LSU-based!Maximus
>> F-Secure 6.70.13030.0 2007.11.25 Trojan-PSW.Win32.Delf.ki
>> Ikarus T3.1.1.12 2007.11.25 Trojan-Spy.Banker.5858
>> Kaspersky 7.0.0.125 2007.11.25 Trojan-PSW.Win32.Delf.ki
>> McAfee 5170 2007.11.23 PWS-Banker.gen.i
>> Microsoft 1.3007 2007.11.25 PWS:Win32/Delf.KI
>> NOD32v2 2684 2007.11.25 a variant of Win32/TrojanDownloader.Dadobra.IA
>> Norman 5.80.02 2007.11.23 W32/Downloader
>> Panda 9.0.0.4 2007.11.25 Suspicious file
>> Prevx1 V2 2007.11.25 SPYWARE.DELF.SI
>> Rising 20.19.61.00 2007.11.25 Trojan.Spy.Win32.Delf.vu
>> Sophos 4.23.0 2007.11.25 Mal/DelpDldr-C
>> Sunbelt 2.2.907.0 2007.11.24 -
>> Symantec 10 2007.11.25 Downloader.Bancos
>> TheHacker 6.2.9.141 2007.11.24 -
>> VBA32 3.12.2.5 2007.11.23 Trojan.PWS.Banker.10307
>> VirusBuster 4.3.26:9 2007.11.25 -
>> Webwasher-Gateway 6.0.1 2007.11.25 Trojan.PSW.Delf.KI.152
>>
>>
>> Regards,
>> Adam Stasiniewicz
>>
>> -----Original Message-----
>> From: list-bounces at lists.dshield.org [mailto:
>> list-bounces at lists.dshield.org]
>> On Behalf Of Tony Earnshaw
>> Sent: Sunday, November 25, 2007 3:59 PM
>> To: General DShield Discussion List
>> Subject: Re: [Dshield] suspiroamor.land.ru trojan
>>
>> Bijendra Singh skrev, on 25-11-2007 22:38:
>>
>>> Yahoo email scanner says that zip file contains Downloader.Brancosvirus.
>>> Virus "Downloader.Bancos" found
>> And Bit Defender (BDC) under amavisd-new on Postfix 2.4.6 that unpacks
>> it two trojans, Trojan.Spy.Delf.SI, Trojan.Downloader.Delf.OBN.
>>
>> Clamscan/clamd under amavisd-new didn't find anything, I submitted it to
>> the ClamAV site.
>>
>> --Tonni
>>
>> --
>> Tony Earnshaw
>> Email: tonni at hetnet dot nl
>> _________________________________________
>> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses,
>> SANS top instructors. http://www.sans.org/info/9346
>>
>> _______________________________________________
>> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
>> taught by our top rated instructors plus a huge vendor tools expo.
>> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>>
More information about the list
mailing list