Anyone seeing this?
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Anyone seeing this?

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Anyone seeing this?

    My gateway is catching a lot of executables attempting to come in via e-mail. The e-mail is coming in with a subject of either "Is sent SMS" or "The picture is sent on SMS". The executable usually has the name of "f5434.exe" or "ds-rwe.exe" .

    Now I have searched the usual (Symantec, TrendMicro....etc) but I am coming up blank. Anyone seeing this activity?

    Cheers:
    DjM

  2. #2
    I think i receieved it once or twice, but it was marked as spam by gmail so i just deleted it.
    StreetsCrack.com Join The Best Music Social Network Online. Music downloads, promotions, forums, profile, games etc...

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    DjM can you turn one into a .txt or zip?

    I will gladly dissect it for you
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by nihil
    DjM can you turn one into a .txt or zip?

    I will gladly dissect it for you
    Sorry Mate, I have a "drop-dead" rule on my gateway. All executables are stripped and sent to that big "bit-bucket" in the sky. To trap one, I have to disable the rule, which is something I am not real crazy about doing.

    I'll see if I can come up with a way to trap one without throwing the doors wide open.

    Cheers:
    DjM

  5. #5
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Here's a copy of the file.

    It came in to our work email (2 copies to our one helpdesk account over the weekend, and one to our other account...)

    The original zip file is in the folder... and the folder is compressed into a new zip file with the password antionline.com

    Maybe I'll throw it into a VM tonight and see what it does...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Nope

    Not getting any here.......Yet!

    Just checked what was filtered too....nothing similar

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by HTRegz
    Hey Hey,

    Here's a copy of the file.

    It came in to our work email (2 copies to our one helpdesk account over the weekend, and one to our other account...)

    The original zip file is in the folder... and the folder is compressed into a new zip file with the password antionline.com

    Maybe I'll throw it into a VM tonight and see what it does...

    Peace,
    HT
    I am seeing that zip file too HT, along with Beach.zip and In_park.zip.

    Can you find any info. on the Virus sites about this?

    Cheers:
    DjM

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    http://isc.sans.org/

    http://isc.sans.org/diary.php?date=2005-06-26

    We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    When scanned with Symantec Corp, it comes up as this...

    http://securityresponse.symantec.com...n.tooso.j.html


    SNIP

    Trojan.Tooso.J is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by thehorse13
    When scanned with Symantec Corp, it comes up as this...

    http://securityresponse.symantec.com...n.tooso.j.html


    SNIP

    Trojan.Tooso.J is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.
    I figured that was the bugger too horse, but the Symantec wirte-up didn't have very much detail (subject line, attachment name...etc)

    Cheers:
    DjM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides