From: the rxmr (the.rxmrgmail.com)
Date: Mon Sep 27 2004 - 14:14:03 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: Bernardo Santos Wernesback <bernardoish.com.br>
Date: Mon, 27 Sep 2004 14:44:58 -0300
Subject: [Full-Disclosure] New virus?
To: full-disclosurelists.netsys.com

 
Hi everyone,
  
Has anyone seen a lot of HTTP activity to a certain site:
http://www.fotosgratis.pop.com.br ?
  
One of our clients has several machines making tons of requests for
TXT files on that server:
  
botao.txt
mswinsck.txt
ita01.txt
caixa01.txt
teclado07.txt
caixa01.txt
caixa02.txt
caixa03.txt
caixa04.txt
caixa05.txt
  
Thanks for any info.,
 
 

_____________________________________________________
 

Bernardo Santos Wernesback

ESSE,ESS,SCSE,CCNA/DA,
 

CCSA,CQS,MCP
 

Consultant / ISH Tecnologia

Phone: +55-27-3334-8900

Mobile: +55-27-8111-0884
 

Email: bernardoish.com.br

  PGP Fingerprint:
   6A42 3701 70D7 FD0F 5FA9 D232 CDD4 6189 EF43 95F5
  
This should answer your quetions.

It is a trojan - TROJ_BANCOS.BW or a variant.

http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_BANCOS.BW

From the page:

"
Description:

This Trojan attempts to download the following image files in the
folder %Windows%\inf:

    * botao.bmp
    * caixa01.jpg
    * caixa02.jpg
    * caixa04.jpg
    * caixa05.jpg
    * ita01.jpg
    * teclado_05.jpg
    * teclado_07.jpg
    * teclado_gere03.jpg
    * teclado_gere04.jpg
    * teclado_gere05.jpg
    * teclado_gere06.jpg
"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]