SecurityFocus

what is this? Jan 13 2008 04:01PM
crazy frog crazy frog (i m crazy frog gmail com) (5 replies)

Re: what is this? Jan 16 2008 08:57AM
Yousef Syed (yousef syed gmail com)

Re: what is this? Jan 15 2008 05:16AM
Denis (sp23 internode on net) (3 replies)

RE: what is this? Jan 15 2008 04:33PM
Memisyazici, Aras (arasm vt edu) (1 replies)

Re[2]: what is this? Jan 15 2008 04:41PM
Denis (sp23 internode on net)

Re: what is this? Jan 15 2008 04:28PM
Jamie Riden (jamie riden gmail com)

Re: what is this? Jan 15 2008 06:12AM
crazy frog crazy frog (i m crazy frog gmail com) (2 replies)

Re[2]: what is this? Jan 15 2008 05:26PM
none (updates digitalis com au)

Re: [Full-disclosure] what is this? Jan 15 2008 06:45AM
Nick FitzGerald (nick virus-l demon co uk) (1 replies)

Re: [Full-disclosure] what is this? Jan 15 2008 08:26AM
crazy frog crazy frog (i m crazy frog gmail com) (1 replies)

Re: [Full-disclosure] what is this? Jan 15 2008 05:22PM
Gadi Evron (ge linuxbox org) (1 replies)

Re: [Full-disclosure] what is this? Jan 15 2008 05:24PM
crazy frog crazy frog (i m crazy frog gmail com)

Re: what is this? Jan 14 2008 09:46PM
Gadi Evron (ge linuxbox org)

Re: what is this? Jan 14 2008 03:44PM
Jose Nazario (jose monkey org) (3 replies)

Re[2]: [Full-disclosure] what is this? Jan 14 2008 09:39PM
3APA3A (3APA3A SECURITY NNOV RU)

RE: what is this? Jan 14 2008 07:09PM
Mario Contestabile (marioc computer org)

Looks like the local name is actually more random:

var name = "c:\\win"+GetRandString(4)+".exe";

Kinda dumb though, as any non-admin class user won't have access to the
local folder on the root [c:\].

marioc (at) computer (dot) org [email concealed]
http://securitymario.spaces.live.com/

-----Original Message-----
From: Jose Nazario [mailto:jose (at) monkey (dot) org [email concealed]]
Sent: Monday, January 14, 2008 10:44 AM
To: crazy frog crazy frog
Cc: Untitled; PenTest; bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Re: what is this?

On Sun, 13 Jan 2008, crazy frog crazy frog wrote:

> http://secgeeks.com/what.zip
> password is 12345
> can somebody guide/help me what is this and how can i remove it?

te file you sent here contains a bunch of embeded nulls (every other
character is 00). stripping those out reveals ...

that it's a collection of browser exploits. by the looks of it it's MPack
and uses the heapspray slide stuff.

the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
as a local file c:\\mosvs8.exe and then run it.

very common exploit scenario these days (but they usually have some form
of js obfuscation going on).

i hope this helps.

________
jose nazario, ph.d. http://monkey.org/~jose/

[ reply ]

Re: what is this? Jan 14 2008 03:56PM
crazy frog crazy frog (i m crazy frog gmail com)

Re: [Full-disclosure] what is this? Jan 14 2008 09:34AM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)

Re: [Full-disclosure] what is this? Jan 14 2008 11:52AM
Nick FitzGerald (nick virus-l demon co uk) (1 replies)

Re: [Full-disclosure] what is this? Jan 14 2008 01:56PM
crazy frog crazy frog (i m crazy frog gmail com)