Ok here is the deal... i recieved an email from an address pretending to be a female(maybe cuz im male?) that she and her mom will be at the airport at 10 in morning and to find an attached picture that she needs her fiance to have a look before to the airport...

Anyone could have fallen for that and would wanted to have a peek at the pic...... but no, wait.. the file name was

"saira .jpg"

Suspicious file name innit? Secondly it was zipped and when i opened it to extract it out it was a "saira.jpg.exe" file. Senses start to work that time dont they? lol well i did extract it to the desktop and the icon it shows me is "L MFC APPLICATION".

I am not a programmer and wouldnt know what exactly the person sent me. But then i opened the file into a hexadecimal editor.. there i see the file header as MZ... getting more info i could clearly see some functions declared in the program...... more info i could get is

* there indeed was an image file editted in adobe photoshop 3.0.
* it was named "shabana rehman".
* its extension was JFIF.
* it was renamed from the original file "L.exe" version 1.0.0.1.
* it had a keylogger star trek.
* had a few email addresses mentioned:
"mo@css.com
myname@domain.com
govtresults@hotpop.com

* had a a few links mentioned:
"mx1.hotpop.com
mx2.hotpop.com
mx3.hotpop.com"

* finally renaming the original file to "saira.jpg.exe"

I need to know more about the file but not being able to upload the file here... how can i get it checked???

im waiting to hear from y`all...

as i can see you are a full member, so u can just attach the file to your topic.

don't forget to rar it and password the archive..

Upload the file to http://www.virustotal.com/ or http://virusscan.jotti.org/.
Then the file gets checked with many good known AV engines.

Also, you can upload this file to http://sandbox.norman.no/live_4.html to get more informations. Alternatively, you can run it under VMWare and start a packet sniffer to see what the file exactly does.

If the file is packed or crypted, you could try to scan the file with PEid. It's a nice tool which can tell you which packer/crypter was used.

Antivirus Version Update Result
--------------------------------------
AntiVir 6.30.0.12 05.24.2005 Heuristic/Backdoor.Generic
AVG 718 05.22.2005 no virus found
Avira 6.30.0.12 05.24.2005 Heuristic/Backdoor.Generic
BitDefender 7.0 05.24.2005 no virus found
ClamAV devel-20050501 05.24.2005 no virus found
DrWeb 4.32b 05.24.2005 no virus found
eTrust-Iris 7.1.194.0 05.24.2005 no virus found
eTrust-Vet 11.9.1.0 05.24.2005 no virus found
Fortinet 2.27.0.0 05.24.2005 suspicious
Ikarus 2.32 05.24.2005 no virus found
Kaspersky 4.0.2.24 05.24.2005 no virus found
McAfee 4497 05.23.2005 New Malware.b
NOD32v2 1.1106 05.23.2005 no virus found
Norman 5.70.10 05.23.2005 no virus found
Panda 8.02.00 05.23.2005 no virus found
Sybari 7.5.1314 05.24.2005 no virus found
Symantec 8.0 05.23.2005 no virus found
VBA32 3.10.3 05.23.2005 suspected of I-Worm (double extension)

--------------------------------------------------------------------------------
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail info@virustotal.com




Ok many antivirii failed to detect it... even symantec says no virus found. I just knew it was a backdoor cuz when i opened the hexadecimanl editor i view functions like getusername etc. ANyway i submitted the file to sandbox norman as well...

<awaiting response>

I would agree if you are really set on messing with this file I would run a vmware session and have it on its own subnet so not to affect your other machines.

The urls in the list are mail domains the mx is the dns setting for mail.

I give you credit for doing as much research as you did to that file. I for one would of just deleted it simply I dont know any one by that name. I sure would not waste my time meeting a stranger at the airport and finally it is a exe.

Well good luck in the research I would like to see the final results of what you find.

How about attaching the file as hottzo suggested?

You could mail me the file at xt33nx -@- gmail.com and i shall contact you back with some details

ok i have zipped the file you people asked but becareful there as i believe its malicious lol

just to add to the first post once the file is executed it installs the following regkey and files

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alertsrvc"="C:\\WINNT\\System32\\Svscc.exe"

%systemroot%\system32\saira.jpg //pic of an indian lady
%systemroot%\system32\sks.dll //installs hooks for keylogger
%systemroot%\system32\svscc.exe //starts keylogger and emails results
%systemroot%\system32\svscc.sys //log file for keylogger


SkitZZ

hmm, packed {very unusual:P}

The actual trojan is IN the package, not packaged.. If you execute it, it is run on the fly{& compiles on the fly} from the algorithm of the packaging, you can see it if you dissasemble the archive, not what is included in the archive. What is packaged is just the keylogger. I can see the real process "finally compiled" trojan is Svscc.exe and calls for svscc.sys, but i can't say if svscc.sys is the keylogger for sure.

<<new data: "just read the previous post, svscc.sys is the log data. Probably, i'll confirm it when my box is ready".

the file sks.dll, which i have attached :"rar password: govsec", is just the keylogger.

the .exe file is packed with a tool like: "Absolute packager", for .exe you can turn it into .rar or .zip and vice versa and the archive works correctly each time, though this inside the package, but not included in the package{e.g. gift box, in the box is the gift, but the trojan is in the material of the gift box, i hope i made it clear}.

i'll post the the real/not packaged trojan, when i have time to set up a sandbox.