(Msg. 1) Posted: Sat Jul 19, 2008 5:28 pm
Post subject: New Virus Add to elertz Archived from groups: alt>comp>virus (more info?)
Received 2 emails recently directly to an email address which I never use. How
they got ahold of it is beyond me, but it looks like they are using compromised
mail servers to spread their garbage.
The title of the emails suggest that it is pornographic in nature, and when the
link is activated it goes to various Web Hosting sites and brings up a screen
that looks like a movie player. Clicking anywhere on the screen, or simply
waiting until it times out, causes it to go to another group of sites and
download a file called "watch.exe". This is a fairly sophisticated setup that
uses some DNS trickery to use a different IP address every 20 seconds. This
group of addresses belongs to:
NetRange: 63.144.121.128 - 63.144.121.255
OrgName: PANTHER EXPRESS
OrgID: PANTH-4
Address: 350 E CERMAK
Address: BLDG MAIN FLR MAIN RM MAIN
City: CHICAGO
StateProv: IL
PostalCode: 60616
Country: US
I downloaded the file "watch.exe" to a safe location, submitted it to
VirusTotal and it came back with 12 of 33 anti-virus programs being able to
identify it. Symantec identifies it as Trojan.Erotpics, and has this to say
about it:
-----------------------------------------------------------------------
April 17, 2008
Updated: April 17, 2008 8:28:39 PM
Also Known As: TROJ_NUWAR.ABK [Trend]
Type: Trojan
Infection Length: 75,264 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows
Vista, Windows NT, Windows Server 2003, Windows 2000
The Trojan arrives as a spammed email attachment purporting to be erotic
pictures and videos of various celebrities.
Once executed, the Trojan creates the following file:
%System%\CbEvtSvc.exe
The Trojan creates a new service with the following characteristics:
Service name: CbEvtSvc
Display name: CbEvtSvc
Image Path: %SystemDrive%\System32\CbEvtSvc.exe -k netsvcs
Startup Type: Automatic
It registers this service by creating entries in the following registry
subkeys:
(Msg. 2) Posted: Mon Jul 21, 2008 4:49 pm
Post subject: Re: New Virus Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
(Msg. 3) Posted: Tue Jul 22, 2008 8:04 pm
Post subject: Re: New Virus Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
MO has changed. The Web site is quite improved and the dowloaded file is now
called codecinst.exe, but it is exactly the same file.
********** SEPARATER **********
In article <Xupgk.448$nu6.336@edtnps83>, administrator.RemoveThis@spam.yellowhead.com
says...
>
>Received 2 emails recently directly to an email address which I never use. How
>they got ahold of it is beyond me, but it looks like they are using
compromised
>mail servers to spread their garbage.
>
>The title of the emails suggest that it is pornographic in nature, and when
the
>link is activated it goes to various Web Hosting sites and brings up a screen
>that looks like a movie player. Clicking anywhere on the screen, or simply
>waiting until it times out, causes it to go to another group of sites and
>download a file called "watch.exe". This is a fairly sophisticated setup that
>uses some DNS trickery to use a different IP address every 20 seconds. This
>group of addresses belongs to:
>
>NetRange: 63.144.121.128 - 63.144.121.255
>OrgName: PANTHER EXPRESS
>OrgID: PANTH-4
>Address: 350 E CERMAK
>Address: BLDG MAIN FLR MAIN RM MAIN
>City: CHICAGO
>StateProv: IL
>PostalCode: 60616
>Country: US
>
>I downloaded the file "watch.exe" to a safe location, submitted it to
>VirusTotal and it came back with 12 of 33 anti-virus programs being able to
>identify it. Symantec identifies it as Trojan.Erotpics, and has this to say
>about it:
>-----------------------------------------------------------------------
>April 17, 2008
>Updated: April 17, 2008 8:28:39 PM
>Also Known As: TROJ_NUWAR.ABK [Trend]
>Type: Trojan
>Infection Length: 75,264 bytes
>Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows
>Vista, Windows NT, Windows Server 2003, Windows 2000
>
>The Trojan arrives as a spammed email attachment purporting to be erotic
>pictures and videos of various celebrities.
>
>Once executed, the Trojan creates the following file:
>%System%\CbEvtSvc.exe
>
>The Trojan creates a new service with the following characteristics:
>Service name: CbEvtSvc
>Display name: CbEvtSvc
>Image Path: %SystemDrive%\System32\CbEvtSvc.exe -k netsvcs
>Startup Type: Automatic
>
>It registers this service by creating entries in the following registry
>subkeys:
>
> * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
> * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
> * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
> * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
>
>The Trojan then sends information about the compromised computer to the
>following remote location:
>207.10.234.217
>
>It then attempts to download files on to the compromised computer.
>----------------------------------------------------------------------
>
(Msg. 4) Posted: Fri Jul 25, 2008 7:04 pm
Post subject: Re: New Virus Add to elertz [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
I was wrong about the source of the trojan file. Panther Express only supplied
the invisible counter. The real source is 207.10.234.217, and the trojan morphs
amost daily (watch.exe, codecinst.exe, watchmovie.mpeg.exe) The sourece network
belonging to SaidCom has a history of abuse.
J.A. Coutts
*********** SEPARATER **********
In article <L3rhk.1018$nu6.448@edtnps83>, administrator RemoveThis @spam.yellowhead.com
says...
>
>MO has changed. The Web site is quite improved and the dowloaded file is now
>called codecinst.exe, but it is exactly the same file.
>********** SEPARATER **********
>In article <Xupgk.448$nu6.336@edtnps83>, administrator RemoveThis @spam.yellowhead.com
>says...
>>
>>Received 2 emails recently directly to an email address which I never use.
How
>>they got ahold of it is beyond me, but it looks like they are using
>compromised
>>mail servers to spread their garbage.
>>
>>The title of the emails suggest that it is pornographic in nature, and when
>the
>>link is activated it goes to various Web Hosting sites and brings up a screen
>>that looks like a movie player. Clicking anywhere on the screen, or simply
>>waiting until it times out, causes it to go to another group of sites and
>>download a file called "watch.exe". This is a fairly sophisticated setup that
>>uses some DNS trickery to use a different IP address every 20 seconds. This
>>group of addresses belongs to:
>>
>>NetRange: 63.144.121.128 - 63.144.121.255
>>OrgName: PANTHER EXPRESS
>>OrgID: PANTH-4
>>Address: 350 E CERMAK
>>Address: BLDG MAIN FLR MAIN RM MAIN
>>City: CHICAGO
>>StateProv: IL
>>PostalCode: 60616
>>Country: US
>>
>>I downloaded the file "watch.exe" to a safe location, submitted it to
>>VirusTotal and it came back with 12 of 33 anti-virus programs being able to
>>identify it. Symantec identifies it as Trojan.Erotpics, and has this to say
>>about it:
>>-----------------------------------------------------------------------
>>April 17, 2008
>>Updated: April 17, 2008 8:28:39 PM
>>Also Known As: TROJ_NUWAR.ABK [Trend]
>>Type: Trojan
>>Infection Length: 75,264 bytes
>>Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows
>>Vista, Windows NT, Windows Server 2003, Windows 2000
>>
>>The Trojan arrives as a spammed email attachment purporting to be erotic
>>pictures and videos of various celebrities.
>>
>>Once executed, the Trojan creates the following file:
>>%System%\CbEvtSvc.exe
>>
>>The Trojan creates a new service with the following characteristics:
>>Service name: CbEvtSvc
>>Display name: CbEvtSvc
>>Image Path: %SystemDrive%\System32\CbEvtSvc.exe -k netsvcs
>>Startup Type: Automatic
>>
>>It registers this service by creating entries in the following registry
>>subkeys:
>>
>> * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
>> * HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
>> * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
>> * HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
>>
>>The Trojan then sends information about the compromised computer to the
>>following remote location:
>>207.10.234.217
>>
>>It then attempts to download files on to the compromised computer.
>>----------------------------------------------------------------------
>>
>
All times are: Eastern Time (US & Canada) (change)
Page 1 of 1
You can post new topics in this forum You can reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Home
Forums
Home
FAQ
Search
Profile
Private Messages
Log in/Register/Password
Security