HP3000-L Archives

February 2003, Week 3

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: A new kind of Spam
From:
Tom Emerson <[log in to unmask]>
Reply To:
Tom Emerson <[log in to unmask]>
Date:
Mon, 17 Feb 2003 10:31:49 -0800
Content-Type:
text/plain
Parts/Attachments:
text/plain (30 lines) 
[since I don't see my own postings to the list, I'm re-replying...]
On Monday 17 February 2003 6:09 am, Denys Beauchemin wrote:
[...]
> If anyone is interested I can send them the text file of the attachment.

OK, I got the file, took a look at it, and I'd say this is a big "BINGO" on
viral/trojan detection.  The first few lines of the script read:

     <title>Delivery Information</title>
     <script language=vbs>
     malware="4d,5a,90,0,3,0,0,0,4,0,0,0,ff,ff

Come on -- this guy even CALLS the thing "malware"!

The resulting executable name, "c:\program files\uliuli.exe" doesn't appear in
a google search [though uliuli itself is some hawaiian food or some such --
served in coconuts...]

The byte codes, as you see above, begin with "4d,5a,90,0", which actually
"pokes into" memory as "5a4d 0090", which is indeed the "tag" for a microsoft
executable program.  I'm not going to analyze the file much further -- I'm
willing to bet that when fully encoded into a file, it won't pass a "virus
scan" :)

--
Yet another Blog: http://osnut.homelinux.net

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2