Anyone seeing this?

***DjM*** · June 27th, 2005, 09:06 PM

My gateway is catching a lot of executables attempting to come in via e-mail. The e-mail is coming in with a subject of either "Is sent SMS" or "The picture is sent on SMS". The executable usually has the name of "f5434.exe" or "ds-rwe.exe" .

Now I have searched the usual (Symantec, TrendMicro....etc) but I am coming up blank. Anyone seeing this activity?

Cheers:

***©opy®ight*** · June 27th, 2005, 09:09 PM

I think i receieved it once or twice, but it was marked as spam by gmail so i just deleted it.

**nihil** · June 27th, 2005, 09:11 PM

DjM can you turn one into a .txt or zip?

I will gladly dissect it for you

***DjM*** · June 27th, 2005, 09:16 PM

Originally posted here by nihil
DjM can you turn one into a .txt or zip?

I will gladly dissect it for you

Sorry Mate, I have a "drop-dead" rule on my gateway. All executables are stripped and sent to that big "bit-bucket" in the sky. To trap one, I have to disable the rule, which is something I am not real crazy about doing.

I'll see if I can come up with a way to trap one without throwing the doors wide open.

Cheers:

***HTRegz*** · June 27th, 2005, 09:17 PM

Hey Hey,

Here's a copy of the file.

It came in to our work email (2 copies to our one helpdesk account over the weekend, and one to our other account...)

The original zip file is in the folder... and the folder is compressed into a new zip file with the password antionline.com

Maybe I'll throw it into a VM tonight and see what it does...

Peace,
HT

***morganlefay*** · June 27th, 2005, 09:19 PM

Nope

Not getting any here.......Yet!

Just checked what was filtered too....nothing similar

MLF

***DjM*** · June 27th, 2005, 09:20 PM

Originally posted here by HTRegz
Hey Hey,

Here's a copy of the file.

It came in to our work email (2 copies to our one helpdesk account over the weekend, and one to our other account...)

The original zip file is in the folder... and the folder is compressed into a new zip file with the password antionline.com

Maybe I'll throw it into a VM tonight and see what it does...

Peace,
HT

I am seeing that zip file too HT, along with Beach.zip and In_park.zip.

Can you find any info. on the Virus sites about this?

Cheers:

***nebulus200*** · June 27th, 2005, 09:21 PM

http://isc.sans.org/

http://isc.sans.org/diary.php?date=2005-06-26

We're receiving early reports of a new Bagle variant making the rounds. At the time of writing, many Antivirus products are not detecting this most recent mutation of the mass mailer. Identifying characteristics include a reference to SMS in the subject line, and ZIP attachments with various names containing an EXE named f22-013.exe with an md5 checksum of 3f123980866092fedd6bc75e9b273087. Our thanks go out to the numerous ISC readers who alerted us to this.

***thehorse13*** · June 27th, 2005, 09:44 PM

When scanned with Symantec Corp, it comes up as this...

http://securityresponse.symantec.com...n.tooso.j.html

SNIP

Trojan.Tooso.J is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.

***DjM*** · June 27th, 2005, 09:48 PM

Originally posted here by thehorse13
When scanned with Symantec Corp, it comes up as this...

http://securityresponse.symantec.com...n.tooso.j.html

SNIP

Trojan.Tooso.J is a Trojan horse that interferes with the operation of security software by terminating processes, stopping services, removing registry entries, and deleting files.

I figured that was the bugger too horse, but the Symantec wirte-up didn't have very much detail (subject line, attachment name...etc)

Cheers:

Thread: Anyone seeing this?

Thread Tools

Display

Anyone seeing this?

Posting Permissions