Re: W32.Badtrans.B@mm

From: John Sage (jsageat_private)
Date: Mon Nov 26 2001 - 14:46:52 PST

  • Next message: Ian Jones: "Re: any1 stumbled across eCkit ?" 

    I've received only 3 so far, I saved to disk the (apparent..) executable 
for all three (I'm on Linux.. :-) and did a diff on all three and 
they're identical.

strings -n 3 returns a *lot* - and it's like hunting for the needle in 
the proverbial haystack, but here's an edited version of what it found, 
FWIW:

!This program cannot be run in DOS mode.
Richl
.rsrc

<snip>

ABCDE
FGHIJKLMNOPQRST
XYZabc
defghijklmnopqrstuvwxyz012345678v!:
9+/
hLM
ugiv
i|`
XH_
%u.
_H;
/`$
, ;
NameServ
149.174.211
.5,SYSTEM\CurrentControl
t\0ices\Tcpip\ParEt
s3ystemVxD\M
XCP
Dec
Oct
Aug
Jul
May
Feb
aSa'Fri
Thu
Wed
Tueo
/Hook
v2.4
%s)%
227
 >s9;c

<snip>

Invalid DNS
add
Answfailu
 >[[exp
[{W
"@"
p/;KEY_USERS
OCAL_MACHINE
CURRENT'3
LASSES_ROOT

<snip>

eTo
help
psho*
DLL
Title:
Y",
mpu
- Us
%Keylogw
Opd
ffnG

<snip>

zzo@
3"JUDY
1at_private
"R+a L

<snip>

MP3
ZIPZ
DOCf
hcWi
y_a
._yeYh
Me_
'ETUP
YOU_
_FAT

<snip>

ARE
Ac,%
Jntd
QUIT

<snip>

o-8859-1N
oX-p

<snip>

<HTML>
=3D#f
xrc

<snip>

LThisY
@fm
yDOS m

<snip>

21del}8
Prt}Dwn}Upr
leftPgD<
hom{V*
GgUO
alP
}esc}

<snip>

trlb
Clr
bVNlA#
ToA
s[b
o9oeY
Unh)
KX{
kGE

<snip>

cpy<
mov^MSVCRT3Y
_Xit|D
adjuB_fdiv
0N+161C1N1Y1d1o1|1
2*252@2
K2V2a2l2w2
3 3+363A3L3W3b3m3x3
4 4=4_4e4
5?5H5U
5c5l5u5
6$6,6A6F6K6P6Z6c6v6
6U7r7
Last
SDuplinQtE&HCle4XD
Exit

<snip>

GIu
0d@
GPG
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
rand
SetTimer
hUB
wKZ
qrh
oNX
je!
www



<EOF strings -n 3>

Make of it what you can...


- John


Liudvikas Bukys wrote:

> I am dismayed to find that ALL of the anti-virus vendors have decided to
> limit their "tech details" so much that I can't find a published account
> of how the keyboard-logging trojan contacts the outside world.  It would
> be helpful to know what hosts or names it connects out to, without having to
> wait for a "live one" to appear to before I find out.
> 
> Does anybody here know?
> 
> Liudvikas Bukys
> bukysat_private
> 




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 14:52:10 PST