[Dshield] list Digest, Vol 59, Issue 11

Deb Hale haled at pionet.net
Tue Nov 27 14:24:19 GMT 2007 

Peggy,  I may be missing something, but I see nothing out of the ordinary or
anything that indicates that your computer is compromised.  Could you please
expand on what it is that makes you think that hackers have access to your
computer?

Deb

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of peggy kannaday
Sent: Monday, November 26, 2007 3:00 PM
To: list at lists.dshield.org
Subject: Re: [Dshield] list Digest, Vol 59, Issue 11

Dear Friends,

I have indigenous hackers on my computer.  Could you look at the attached
file?

I know that you may never receive it, and I also know that any answer that I
receive may be a counterfeit, but sa la vie.

Thank you if you get this e-mail.

Peggy

On Nov 26, 2007 7:00 AM, <list-request at lists.dshield.org> wrote:

> Send list mailing list submissions to
>        list at lists.dshield.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.sans.org/mailman/listinfo/list
> or, via email, send a message with subject or body 'help' to
>        list-request at lists.dshield.org
>
> You can reach the person managing the list at
>        list-owner at lists.dshield.org
>
> When replying, please edit your Subject line so it is more specific 
> than "Re: Contents of list digest..."
>
> Today's Topics:
>
>   1. Re: suspiroamor.land.ru trojan (Bijendra Singh)
>   2. Re: suspiroamor.land.ru trojan (Tony Earnshaw)
>   3. Re: suspiroamor.land.ru trojan (Stasiniewicz, Adam)
>
>
> ---------- Forwarded message ----------
> From: "Bijendra Singh" <bijendra at gmail.com>
> To: "General DShield Discussion List" <list at lists.dshield.org>
> Date: Sun, 25 Nov 2007 15:38:34 -0600
> Subject: Re: [Dshield] suspiroamor.land.ru trojan Yahoo email scanner 
> says that zip file contains Downloader.Brancos virus.
>
>
> Virus "Downloader.Bancos" found
>
>
> -Bijendra
>
> On Nov 24, 2007 10:17 PM, jayjwa <jayjwa at atr2.ath.cx> wrote:
> >
> >
> > (Possibly) new trojans. These came from a link spammed out in email 
> > that ended up in my Hotmail inbox. The files are win32 PE's, with 
> > some interesting strings embedded in them. One of the files appears 
> > to be a server of some sort with smtp ability. There's also alot of 
> > calls to graphics routines, so maybe one of the files is a client or 
> > user interface of some type. Written in Delphi, downloaded from 
> > suspiroamor.land.ru, root directory.
> >
> > amor.com: The only file linked in the email. Probably downloads/exec
> others.
> >
> > Interesting strings:
> >
> >            taskkill -f /im gbpsv.exe
> >            C:\Arquivos de programas\GbPlugin\gbieh.dll
> >            C:\Arquivos de programas\GbPlugin\gbieh.gmd
> >            C:\windows\Crime.exe
> >            C:\WINDOWS\system32\WormList.exe
> >            URLDownloadToFileA
> >            shell32.dll
> >            ShellExecuteA
> >
> > derby.com: Referenced in the above file.
> >
> > javas.com: Same. Contains an email template, lots of calls to Winsock.
> >
> > Interesting hardcoded strings:
> >
> >           msnlist.txt
> >           dadospen at gmail.com
> >           Lista MSN (
> >           gsmtp185.google.com
> >
> >           hsResolving
> >           hsConnecting
> >           hsConnected
> >           hsDisconnecting
> >           hsDisconnected
> >           hsStatusText
> >           ftpTransfer
> >           ftpReady
> >           ftpAborted
> >           IdComponent
> >           TIdStatusEvent
> >           ASender
> >
> >           Indy 9.00.10
> >           X-Library
> >
> > * About to connect() to suspiroamor.land.ru port 80 (#0)
> > *   Trying 82.204.219.223... connected
> > * Connected to suspiroamor.land.ru (82.204.219.223) port 80 (#0)
> > > GET /javas.com HTTP/1.1
> > > User-Agent: from Russia with love?
> > > Host: suspiroamor.land.ru
> > > Accept: */*
> > >
> > < HTTP/1.1 200 OK
> > < Server: nginx/0.5.31
> > < Date: Sun, 25 Nov 2007 03:09:45 GMT < Content-Type: 
> > application/octet-stream < Content-Length: 523264 < Last-Modified: 
> > Fri, 23 Nov 2007 22:31:24 GMT < Connection: keep-alive < 
> > Accept-Ranges: bytes < { [data not shown]
> >
> >
> > The signature/data files are a bit old (Nov. 9) but F-prot had this 
> > to
> say:
> >
> > amor.com  Infection: Possibly a new variant of
> W32/NewMalware-LSU-based!Maximus
> >
> > Available as downloaded above, or local copies together in a zip for 
> > anyone that wants to look at them:
> >
> >
> https://atr2.ath.cx/vx_lab/specimens/unidentified/suspiroamor-land-ru/
> suspiroamor-land-ru-trojan.zip
> >
> > Useful tool to examine binaries:
> > http://hte.sourceforge.net/
> >
> > _________________________________________
> > SANS Network Security 2007 in Las Vegas September 22-30. 39 courses, 
> > SANS top instructors.  http://www.sans.org/info/9346
> >
>
>
>
> ---------- Forwarded message ----------
> From: Tony Earnshaw <tonni at hetnet.nl>
> To: General DShield Discussion List <list at lists.dshield.org>
> Date: Sun, 25 Nov 2007 22:58:45 +0100
> Subject: Re: [Dshield] suspiroamor.land.ru trojan Bijendra Singh 
> skrev, on 25-11-2007 22:38:
>
> > Yahoo email scanner says that zip file contains Downloader.Brancosvirus.
> > Virus "Downloader.Bancos" found
>
> And Bit Defender (BDC) under amavisd-new on Postfix 2.4.6 that unpacks 
> it two trojans, Trojan.Spy.Delf.SI, Trojan.Downloader.Delf.OBN.
>
> Clamscan/clamd under amavisd-new didn't find anything, I submitted it 
> to the ClamAV site.
>
> --Tonni
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
>
>
>
> ---------- Forwarded message ----------
> From: "Stasiniewicz, Adam" <stasinia at msoe.edu>
> To: "'General DShield Discussion List'" <list at lists.dshield.org>
> Date: Sun, 25 Nov 2007 16:54:35 -0600
> Subject: Re: [Dshield] suspiroamor.land.ru trojan Whenever I come 
> across a suspicious file I upload it to www.virustotal.com .
> In addition to running the file against basically ever major AV, they 
> will also submit the file to every AV vendor that did not get a hit on 
> the file.
> Here are the results (as of a few minutes ago):
>
>
>
> AhnLab-V3 2007.11.24.0 2007.11.23 -
> AntiVir 7.6.0.34 2007.11.25 TR/PSW.Delf.KI.152 Authentium 4.93.8 
> 2007.11.24 Possibly a new variant of W32/NewMalware-LSU-based!Maximus 
> Avast 4.7.1074.0 2007.11.25 - AVG 7.5.0.503 2007.11.25 
> PSW.Generic5.YJD BitDefender 7.2 2007.11.25 Trojan.Spy.Delf.SI 
> CAT-QuickHeal 9.00 2007.11.24 - ClamAV 0.91.2 2007.11.25 - DrWeb 
> 4.44.0.09170 2007.11.25 - eSafe 7.0.15.0 2007.11.21 - eTrust-Vet 
> 31.3.5324 2007.11.24 - Ewido 4.0 2007.11.25 - FileAdvisor 1 2007.11.25 
> - Fortinet 3.14.0.0 2007.11.25 Spy/Banker F-Prot 4.4.2.54 2007.11.25 
> W32/NewMalware-LSU-based!Maximus F-Secure 6.70.13030.0 2007.11.25 
> Trojan-PSW.Win32.Delf.ki Ikarus T3.1.1.12 2007.11.25 
> Trojan-Spy.Banker.5858 Kaspersky 7.0.0.125 2007.11.25 
> Trojan-PSW.Win32.Delf.ki McAfee 5170 2007.11.23 PWS-Banker.gen.i 
> Microsoft 1.3007 2007.11.25 PWS:Win32/Delf.KI
> NOD32v2 2684 2007.11.25 a variant of Win32/TrojanDownloader.Dadobra.IA 
> Norman 5.80.02 2007.11.23 W32/Downloader Panda 9.0.0.4 2007.11.25 
> Suspicious file
> Prevx1 V2 2007.11.25 SPYWARE.DELF.SI
> Rising 20.19.61.00 2007.11.25 Trojan.Spy.Win32.Delf.vu Sophos 4.23.0 
> 2007.11.25 Mal/DelpDldr-C Sunbelt 2.2.907.0 2007.11.24 - Symantec 10 
> 2007.11.25 Downloader.Bancos TheHacker 6.2.9.141 2007.11.24 -
> VBA32 3.12.2.5 2007.11.23 Trojan.PWS.Banker.10307 VirusBuster 4.3.26:9 
> 2007.11.25 - Webwasher-Gateway 6.0.1 2007.11.25 Trojan.PSW.Delf.KI.152
>
>
> Regards,
> Adam Stasiniewicz
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:
> list-bounces at lists.dshield.org]
> On Behalf Of Tony Earnshaw
> Sent: Sunday, November 25, 2007 3:59 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] suspiroamor.land.ru trojan
>
> Bijendra Singh skrev, on 25-11-2007 22:38:
>
> > Yahoo email scanner says that zip file contains Downloader.Brancosvirus.
> > Virus "Downloader.Bancos" found
>
> And Bit Defender (BDC) under amavisd-new on Postfix 2.4.6 that unpacks 
> it two trojans, Trojan.Spy.Delf.SI, Trojan.Downloader.Delf.OBN.
>
> Clamscan/clamd under amavisd-new didn't find anything, I submitted it 
> to the ClamAV site.
>
> --Tonni
>
> --
> Tony Earnshaw
> Email: tonni at hetnet dot nl
> _________________________________________
> SANS Network Security 2007 in Las Vegas September 22-30. 39 courses, 
> SANS top instructors.  http://www.sans.org/info/9346
>
> _______________________________________________
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught 
> by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
>

More information about the list mailing list