[since I don't see my own postings to the list, I'm re-replying...]
On Monday 17 February 2003 6:09 am, Denys Beauchemin wrote:
[...]
> If anyone is interested I can send them the text file of the attachment.
OK, I got the file, took a look at it, and I'd say this is a big "BINGO" on
viral/trojan detection. The first few lines of the script read:
<title>Delivery Information</title>
<script language=vbs>
malware="4d,5a,90,0,3,0,0,0,4,0,0,0,ff,ff
Come on -- this guy even CALLS the thing "malware"!
The resulting executable name, "c:\program files\uliuli.exe" doesn't appear in
a google search [though uliuli itself is some hawaiian food or some such --
served in coconuts...]
The byte codes, as you see above, begin with "4d,5a,90,0", which actually
"pokes into" memory as "5a4d 0090", which is indeed the "tag" for a microsoft
executable program. I'm not going to analyze the file much further -- I'm
willing to bet that when fully encoded into a file, it won't pass a "virus
scan" :)
--
Yet another Blog: http://osnut.homelinux.net
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|