CrackZ
July 19th, 2001, 13:51
Hiya.
This is a general warning to all RCE webmasters just to check very carefully their e-mail attachments; I'm sorry if this sounds patronising if you do it already ;-) but better safe than sorry.
There is an individual distributing an attachment by the name of 015200-006 estimated.doc (it purports to be a tutorial which of course you may (if your hands were too quick for your brain, run without thinking)).
I've literally just done 10 minutes analysis on this and basically its nothing more than one of the ubiquitous sub7 trojans which (haven't verified this yet, connects you unwittingly to some central IRC server), its also unlike many of the other sub7's in that its not really well concealed, (its not packed) and compiled in Delphi.
It installs itself with hidden attributes as SCam32.exe (get it ;-) ) in your /system directory, there are a few other files too (also hidden), one of them, sci1.dll is plaintext and quite interesting :
admin@defacers.com
asl@uofg.com.ua
boloh@263.net
crackz__@hotmail.com
crayser@gmx.net
emersa@ponferrada.com
goatass@newavedesign.com
inet@microsoft.com
it_tomorrow_today@confused.com
leszek@dubiel.pl
lmmendoza@go.com
lword@world.std.com
meteo@null.net
mikicom@teleline.es
morlac@hotmail.com
mpietrek@tiac.com
none@foryou.com
quotes@call4cms.com
reg@extreme-dm.com
sope@rediffmail.com
tanuki@pannotia.com
theanalyst@hushmail.com
vinoprem@yahoo.com
xiaoxiaoc@8848.net
This guy doesn't like some people it seems.
The trojan ensures its run by several entries in the registry, SCam32.exe is nothing more than a dropper for the IRC client Sirc32.exe (hidden inside your /recycled directory), the root class of exefile is also changed to ensure Sirc32.exe gets run everytime you execute something as is one of the RunOnce (can't remember if its that one) keys. It also seems to have several of its own configurable entries in LOCAL_MACHINE/SirCam and below.
Anyway, I plan a good look inside this and will probably post a document of how this thing really operates in due course, in the interim.....
Regards and heads up.
CrackZ.
This is a general warning to all RCE webmasters just to check very carefully their e-mail attachments; I'm sorry if this sounds patronising if you do it already ;-) but better safe than sorry.
There is an individual distributing an attachment by the name of 015200-006 estimated.doc (it purports to be a tutorial which of course you may (if your hands were too quick for your brain, run without thinking)).
I've literally just done 10 minutes analysis on this and basically its nothing more than one of the ubiquitous sub7 trojans which (haven't verified this yet, connects you unwittingly to some central IRC server), its also unlike many of the other sub7's in that its not really well concealed, (its not packed) and compiled in Delphi.
It installs itself with hidden attributes as SCam32.exe (get it ;-) ) in your /system directory, there are a few other files too (also hidden), one of them, sci1.dll is plaintext and quite interesting :
admin@defacers.com
asl@uofg.com.ua
boloh@263.net
crackz__@hotmail.com
crayser@gmx.net
emersa@ponferrada.com
goatass@newavedesign.com
inet@microsoft.com
it_tomorrow_today@confused.com
leszek@dubiel.pl
lmmendoza@go.com
lword@world.std.com
meteo@null.net
mikicom@teleline.es
morlac@hotmail.com
mpietrek@tiac.com
none@foryou.com
quotes@call4cms.com
reg@extreme-dm.com
sope@rediffmail.com
tanuki@pannotia.com
theanalyst@hushmail.com
vinoprem@yahoo.com
xiaoxiaoc@8848.net
This guy doesn't like some people it seems.
The trojan ensures its run by several entries in the registry, SCam32.exe is nothing more than a dropper for the IRC client Sirc32.exe (hidden inside your /recycled directory), the root class of exefile is also changed to ensure Sirc32.exe gets run everytime you execute something as is one of the RunOnce (can't remember if its that one) keys. It also seems to have several of its own configurable entries in LOCAL_MACHINE/SirCam and below.
Anyway, I plan a good look inside this and will probably post a document of how this thing really operates in due course, in the interim.....
Regards and heads up.
CrackZ.
touched too