-
February 16th, 2004, 10:36 PM
#11
Hmm...i am able to download them but the Av will autmatically pick it up. I could ignore the AV but i'm at my work place right now and I dont want to jeopardise any of the computers here. I'll wait until I get home on my Lab pcs. Thank you very much. That was exactly what I was looking for.
Cheers,
-
February 16th, 2004, 10:40 PM
#12
From FD on this attachment:
From the source of that page:
APPLET ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1
BlackBox.class is detected immediately by my virusscanner as ClassLoader/E, more info:
http://www.viruslibrary.com/virusinf...lassLoader.htm
The javautil.zip appears to be an exe file renamed to zip. The exe is compressed with FSG.
Interresting pieces of output from strings on the decompressed exe:
----------------------------------------------BEGIN
HookerDll.Dll
Install
Uninstall
EDIT
%s\%s
WVS3
\kgn.txt
Hooker.dll
Install
Uninstall
Westpac
bendigo
Bendigo
e-bendigo
e-Bendigo
commbank
Commonwealth
NetBank
Citibank
Bank of America
e-gold
e-bullion
e-Bullion
evocash
EVOCash
EVOcash
intgold
INTGold
paypal
PayPal
bankwest
Bank West
BankWest
National Internet Banking
cibc
CIBC
scotiabank
ScotiaBank
Scotia Bank
bank of montreal
Bank of Montreal
royalbank
Royal Bank
RoyalBank
tdwaterhouse
TD Canada Trust
TD Waterhouse
president's choice
President's Choice
President Choice
suncorpmetway
Suncorp
macquarie
Macquarie
INTgold
1mdc
1MDC
TD Waterhouse
goldmoney
GoldMoney
goldgrams
pecunix
Pecunix
Pecun!x
hyperwallet
HyperWallet
Wells Fargo
Bank One
Banesto
CAIXA
SunTrust
Sun Trust
Discover Card
Washington Mutual
Wachovia
desjardins
Chase
0+060F0
1$11161J1U1i1
2.2I2\2
3'3,3E3c3h3r3
4%42484>4D4J4P4V4\4b4h4n4t4z4
DATA
EHLO localhost
Subject: KeyLog from (%s)
MAIL FROM:<pentasatan@mail.ru>
RCPT TO:<pentasatan@mail.ru>
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
open
pstorec.dll
PStoreCreateInstance
internet explorer
http://
wininetcachecredentials
Cookie:
----------------------------------------------END
I believe a good "strings" will give you these results.
-
February 16th, 2004, 10:41 PM
#13
< joke >-sits here, blinking- I always miss out on all the fun, being on a Linux system. < /joke >
-
February 16th, 2004, 10:44 PM
#14
Oh pooh, you don't have to miss anything. Heck, half the fun of being on a *nix system is the ability to touch and play with this stuff. Why else would the *nix gods give us strings to play with?
-
February 16th, 2004, 11:45 PM
#15
for any interested javautil is packed using fsg which can be found at illmob:
http://illmob.com/stuff/fsg.zip
and must be uncompressed using it before strings can be run against it.
although strings was originally a unix util there are many windows ports around a windows version can be had from:
http://members.cox.net/dos/unix.htm
heres the results of strings run against blackbox.class:
BlackBox
java/applet/Applet
UCL_def
Magic_def
stop
Code
LineNumberTable
this
Synthetic
<init>
Dummy
VerifierBug
getClass
()Ljava/lang/Class;
java/lang/Object
dummy_class
Ljava/lang/Class;
UCL_definition
Magic
myDefineClass
)(Ljava/lang/String;[BII)Ljava/lang/Class;
newInstance
()Ljava/lang/Object;
java/lang/Class
com.ms.security.PermissionSet
forName
%(Ljava/lang/String;)Ljava/lang/Class;
doit
getMethod
@(Ljava/lang/String;[Ljava/lang/Class;)Ljava/lang/reflect/Method;
!com/ms/security/PermissionDataSet
setFullyTrusted
(Z)V
com/ms/security/PermissionSet
&(Lcom/ms/security/PermissionDataSet;)V
getClassLoader
()Ljava/lang/ClassLoader;
com/ms/vm/loader/URLClassLoader
value
!Lcom/ms/vm/loader/URLClassLoader;
invoke
9(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object;
java/lang/reflect/Method
Worker
loadClass
java/lang/Throwable
SourceFile
BlackBox.java
R: +
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
February 17th, 2004, 03:08 AM
#16
i dont see visa on that list ms. mittens guess i'm safe heh
-
February 17th, 2004, 05:08 AM
#17
The only way to be safe these days, is not to be online it seems.
But still it is pretty funny how these sort of Virus's (If you can call them that) seem to keep popping up time after time.
cheers
.:front2back:.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|