At 01.52 28/06/2003 -0400, Chris Ess wrote:
>What I've come up with so far is this:
>
>The vector appears to be a zip file that contains an HTML file. The HTML
>file has, at the beginning of it, a base64-encoded executable of some
>sort.
Yes, I decoded easily the MIME stuff using WinZip. Here you are a quick & dirty analisys. The file decoded is a Win32 PE executable compressed by UPX: it is a new variant of Backdoor.SdBot, an IRC RAT that permits to malicious people to control PCs where the backdoor has been installed. On execution, the backdoor copies itself on the %Sysdir% folder and modifies the Registry to be executed automatically at every system startup:
Values added: 2
---------------
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "hpsched"
Type: REG_SZ
Data: hpsched.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "hpsched"
Type: REG_SZ
Data: hpsched.exe
I wrote "on the fly" a detection/removal tool, by the way. People interested may download it here:
http://www.nod32.it/cgi-bin/mapdl.pl?tool=Mindjail
ciao,
Paolo.
---
Future Time S.r.l. tel +39-06-5034227
Distributore esclusivo NOD32 e Outpost fax +39-06-5037078
e-mail: paolo.montiat_private www.nod32.it
NOD32, il piu' veloce e preciso antivirus del mondo, parola di Virus Bulletin
************************ Proteggi il tuo mondo digitale ***************************
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jun 28 2003 - 15:56:51 PDT