[Dshield] ev1.net trojan (was yahoo.fr trojan)

jayjwa jayjwa at atr2.ath.cx
Tue Jan 20 03:06:00 GMT 2004


On Sun, 18 Jan 2004 WMAVT at aol.com wrote:

> Subject: Re: [Dshield] ev1.net trojan (was yahoo.fr trojan)

> I found something interesting or maybe a bug it the server, If I use
>            http://www.whois.net/whois.cgi2?d=66.98.208.24
> I get the below
>             WHOIS information for 208.24:
> [whois.melbourneit.com]

>        Maybe it is coming from more than 1 site??

> Looks like we got a simple, but interesting trojan on your hands.

Yes, it certainly is. I found one at a chinese website lastnight, pulled
down the trojan using links w/fake User-Agent to look like MSIE, and did a
bit of studying on it. I have the IP address of the site, and a Syn Scan
nmap listing of them. I sent a complete package to Mr. Ullrich.

What I found appeared to matched the descriptions given on the list, and I
followed the link given to retrieve it. I sent the original post with the
package, the file I download, and my initial analysis of it. It seemed to
be a VBS script with embedded binary UPX compressed content. Copies in
%systemroot%, another Win32 specimen. It creates usb_d.exe or usb_d2.exe
(this is the version I had, the usb_d2.exe). Just delete the files if you
find them, if it gets that far. It's kind of a simple piece of malware.
I'd expect its on lots of sites, since it's easy to set it up. Pop it in
/cgi-bin/, send someone gullible a threat-letter to click on it, it away
it goes. I didn't have much more time to look at it, my FTP server was
quite popular yesterday-night (and not in a good way) :(

[jayjwa]RLF#37






More information about the list mailing list