Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: PowerPoint Phishing Trojan



> -----Original Message-----
> From: Lance James [mailto:bugtraq@xxxxxxxxxxxxxxxxx] 
> Sent: Saturday, April 22, 2006 12:11 PM
> To: phishing@xxxxxxxxxxxxxxxxx; 
> binaryanalysis@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: PowerPoint Phishing Trojan
> 
> Hi all,
> 
> Just an FYI, there is a neat little PowerPoint Trojan that we received
> from a helpful source yesterday. It appears to be exploiting 
> this vuln:
> 
> http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
> 
> I extracted the PE file(s) out of the ppt and got only 3 
> recognizing the
> file as malicious:
> 
> I have the binary to available AV vendors by request.
> 
> I found the blind drop and have recovered all the stolen files.
> 
> Thanks.
> 
> Antivirus     Version         Update  Result
> AntiVir       6.34.0.24       04.20.2006      no virus found
> Avast         4.6.695.0       04.21.2006      no virus found
> AVG   386     04.21.2006      no virus found
> Avira         6.34.0.56       04.21.2006      no virus found
> BitDefender   7.2     04.22.2006      Trojan.PPT.A
> CAT-QuickHeal         8.00    04.21.2006      no virus found
> ClamAV        devel-20060202  04.22.2006      no virus found
> DrWeb         4.33    04.21.2006      BACKDOOR.Trojan
> eTrust-InoculateIT    23.71.136       04.22.2006      no virus found
> eTrust-Vet    12.4.2171       04.21.2006      no virus found
> Ewido         3.5     04.21.2006      no virus found
> Fortinet      2.71.0.0        04.22.2006      suspicious
> F-Prot        3.16c   04.21.2006      no virus found
> Ikarus        0.2.59.0        04.21.2006      no virus found
> Kaspersky     4.0.2.24        04.22.2006      no virus found
> McAfee        4746    04.21.2006      no virus found
> NOD32v2       1.1501  04.21.2006      probably unknown 
> NewHeur_PE virus
> Norman        5.90.16         04.21.2006      W32/Malware
> Panda         9.0.0.4         04.21.2006      Suspicious file
> Sophos        4.04.0  04.21.2006      no virus found
> Symantec      8.0     04.22.2006      no virus found
> TheHacker     5.9.7.132       04.21.2006      no virus found
> UNA   1.83    04.21.2006      no virus found
> VBA32         3.10.5  04.19.2006      no virus found
> 
> Aditional Information
> File size: 144514 bytes
> MD5: d8ec5f57861104fba4ee2e3f12cfa5a8
> SHA1: 94d2202fb50df5a8e00f5da50b8e0783ec144465
> Norman SandBox:
> [ General information ]
> * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@xxxxxxxxx -
> REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
> * File might be compressed.
> * Decompressing ASPack.
> * File length: 144514 bytes.
> 
> [ Changes to filesystem ]
> * Creates file C:WINDOWSSYSTEM32wbemwmiadapt.exe.
> * Creates file C:WINDOWSSYSTEM32systhin.dll.
> 
> [ Process/window information ]
> * Modifies other process memory.
> * Creates a remote thread.
> 
> 
> 
> 
> 



 




Copyright © Lexa Software, 1996-2009.