66.98.208.24 compromised (was: [Dshield] Fake Yahoo e-mail)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Sun Jan 18 02:18:47 GMT 2004


Hi Mike, list,

On Sun, 18 Jan 2004 11:45:58 +1300 Mike wrote:

> WARNING: MSIE users do not click on this link!
> 
> It's on the move IP is now 210.51.184.247 URL
> http://210.51.184.247/cgi-bin/page.cgi
[snip]

The trojan is identical to the one on 66.98.208.24 approx 9 hours ago.

Google *groups*: usb_d2.exe

Gives you a thread describing a similar beast. I extracted the exe from
one of those posts, and decompressed (UPX). That file (distributed end
of 2003) slightly differs from the current version, however, strings in
both versions appear to be the same (both versions refer to cjdra.com ).
The last post in mentioned thread (#22) has a nice analysis.

Anyway, usb_d2.exe is quite likely a successor of usb_d.exe:
http://vil.nai.com/vil/content/v_100939.htm Trojan name: Proxy-Cidra
"This Visual Basic script is detected as VBS/Inor with the 4307 DATs
or greater."

For more info, Google: usb_d.exe

Cheers,
Erik van Straten




More information about the list mailing list