Jpeg Exploit In The Wild

#1 Guest_sk3tch_*

Group: Guests

Posted 27 September 2004 - 05:29 PM

Info:
http://www.easynews.com/virus.txt

Sample:

http://easynews.com/.../virus-jpeg.zip

Looks like it is using this exploit code:
http://www.k-otik.co...gOfDeathM.c.php

What do you guys think? We've got to be close to a worm version of this soon...(if it isn't already here).

#2 EzMe

Private First Class

Group: Members
Posts: 139
Joined: 03-March 04

Posted 27 September 2004 - 07:14 PM

Donno if u checed the channel #FurQ.. It's full with lamers over there <_<

#3 Guest_sk3tch_*

Group: Guests

Posted 27 September 2004 - 08:11 PM

Dunno what you're inferring...but I'm not talking about the code being out there...I realize that has been pub'd for quite some time...I'm talking about actual payload jpgs being posted to usenet today.

#4 easternerd

Sergeant

Group: Members
Posts: 226
Joined: 23-December 03

Posted 27 September 2004 - 09:16 PM

yeah it sure does have some Offsets off the normal signature.

#5 roxi

Private First Class

Group: Members
Posts: 27
Joined: 14-March 04

Posted 30 September 2004 - 05:11 AM

anybody have the files that all downloaded from the ftp virus.....
these files :
-rw-r--r-- 1 root root 90112 Sep 27 09:43 AdmDll.dll
-rw-r--r-- 1 root root 114688 Sep 27 09:43 Fport.exe
-rw-r--r-- 1 root root 663 Sep 27 09:43 ServUStartUpLog.txt
-rw-r--r-- 1 root root 32768 Sep 27 09:43 VNCHooks.dll
-rw-r--r-- 1 root root 1407 Sep 27 09:43 WinRun.dll
-rw-r--r-- 1 root root 811008 Sep 27 09:43 WinRun.exe
-rw-r--r-- 1 root root 1268 Sep 27 09:43 driver.log
-rw-r--r-- 1 root root 24576 Sep 27 09:43 drives.exe
-rw-r--r-- 1 root root 150 Sep 27 09:43 execute.bat
-rw-r--r-- 1 root root 0 Sep 27 09:43 filter3.ocx
-rw-r--r-- 1 root root 1052 Sep 27 09:43 irc-u.cfg
-rw-r--r-- 1 root root 0 Sep 27 09:43 irc-u.dat
-rw-r--r-- 1 root root 16802 Sep 27 09:43 irc-u.debug.log
-rw-r--r-- 1 root root 102400 Sep 27 09:43 irc-u.dll
-rw-r--r-- 1 root root 26624 Sep 27 09:43 kill.exe
-rw-r--r-- 1 root root 59392 Sep 27 09:43 nc.exe
-rw-r--r-- 1 root root 241664 Sep 27 09:43 nvsvc.exe
-rw-r--r-- 1 root root 36864 Sep 27 09:43 nvsvc32.dll
-rw-r--r-- 1 root root 45056 Sep 27 09:43 omnithread_rt.dll
-rw-r--r-- 1 root root 34304 Sep 27 09:43 peek.exe
-rw-r--r-- 1 root root 29408 Sep 27 09:43 raddrv.dll
-rw-r--r-- 1 root root 713 Sep 27 09:43 radmin.reg
-rw-r--r-- 1 root root 26112 Sep 27 09:43 rcrypt.exe
-rw-r--r-- 1 root root 40960 Sep 27 09:43 reg.exe
-rw-r--r-- 1 root root 6656 Sep 27 09:43 uptime.exe
-rw-r--r-- 1 root root 208896 Sep 27 09:43 vns.exe

I try to download it form ftp://209.171.43.27/www/system but i can't log in :(

#6 marder

Private

Group: Members
Posts: 14
Joined: 18-March 04

Posted 30 September 2004 - 09:24 AM

roxi, on Sep 30 2004, 01:11 PM, said:

anybody have the files that all downloaded from the ftp virus.....
these files :
[...]
I try to download it form ftp://209.171.43.27/www/system but i can't log in :(

www.easynews.com/virus.html said:

UPDATE: There have been quite a few reports that this trojan did not work. They are wrong! It worked very well. Because of our quick action in finding and deconstructing this trojan, we were able to indetify and shutdown the FTP server that the trojan used to download its malware.

so you can't connect there.
however files are modified or renamed from:
fport.exe (orginal)
servudaemon
something like iroffer
radmin
...

just read at easynews.com and get the filtered and dumped packets

#7 Guest_sk3tch_*

Group: Guests

Posted 30 September 2004 - 10:32 AM

i have them...I can't see how to attach files...msg me for them

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Forums: Jpeg Exploit In The Wild - Forums