Re: [Full-Disclosure] Sears Scam Trojan Code
Date: Fri Dec 26 2003 - 03:30:51 CST
Some more information:
1) When the program is run, it install itself in registry for startup
2) It binds itself a _random_ listen TCP port and starts a proxy service.
The proxy code seems like a "normal" TCP connection forwarder, but I'm not
100% sure yet.
3) It sends the proxy port periodically, every 30 secs to cjdra.com with
the following url: http://cjdra.com/sd/PORT where PORT is the listening
port encoded as follows: for each port digit, do 46h + (39h - port), for
example: 1234 is NMLK. Probably the server is supposed to build some
database of the port/host information.
4) If the response HTTP page contains an ASCII string "upf:FILENAME"
somewhere, the program tries to fetch a file http://cjdra.com/FILENAME
and run it.
Regards,
-- Jarkko Turkulainen <jt@klake.org> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.htmlReceived on Fri Dec 26 03:45:12 2003
This archive was generated by hypermail 2.1.8 : Fri Dec 26 2003 - 04:01:01 CST
