Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PowerPoint Phishing Trojan

from [Lance James] Network Security [Permanent Link]
Subject: PowerPoint Phishing Trojan
Date: Sat, 22 Apr 2006 01:11:20 -0700 
Hi all,

Just an FYI, there is a neat little PowerPoint Trojan that we received
from a helpful source yesterday. It appears to be exploiting this vuln:

http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx

I extracted the PE file(s) out of the ppt and got only 3 recognizing the
file as malicious:

I have the binary to available AV vendors by request.

I found the blind drop and have recovered all the stolen files.

Thanks.

Antivirus       Version         Update  Result
AntiVir         6.34.0.24       04.20.2006      no virus found
Avast   4.6.695.0       04.21.2006      no virus found
AVG     386     04.21.2006      no virus found
Avira   6.34.0.56       04.21.2006      no virus found
BitDefender     7.2     04.22.2006      Trojan.PPT.A
CAT-QuickHeal   8.00    04.21.2006      no virus found
ClamAV  devel-20060202  04.22.2006      no virus found
DrWeb   4.33    04.21.2006      BACKDOOR.Trojan
eTrust-InoculateIT      23.71.136       04.22.2006      no virus found
eTrust-Vet      12.4.2171       04.21.2006      no virus found
Ewido   3.5     04.21.2006      no virus found
Fortinet        2.71.0.0        04.22.2006      suspicious
F-Prot  3.16c   04.21.2006      no virus found
Ikarus  0.2.59.0        04.21.2006      no virus found
Kaspersky       4.0.2.24        04.22.2006      no virus found
McAfee  4746    04.21.2006      no virus found
NOD32v2         1.1501  04.21.2006      probably unknown NewHeur_PE virus
Norman  5.90.16         04.21.2006      W32/Malware
Panda   9.0.0.4         04.21.2006      Suspicious file
Sophos  4.04.0  04.21.2006      no virus found
Symantec        8.0     04.22.2006      no virus found
TheHacker       5.9.7.132       04.21.2006      no virus found
UNA     1.83    04.21.2006      no virus found
VBA32   3.10.5  04.19.2006      no virus found

Aditional Information
File size: 144514 bytes
MD5: d8ec5f57861104fba4ee2e3f12cfa5a8
SHA1: 94d2202fb50df5a8e00f5da50b8e0783ec144465
Norman SandBox:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Decompressing ASPack.
* File length: 144514 bytes.

[ Changes to filesystem ]
* Creates file C:WINDOWSSYSTEM32wbemwmiadapt.exe.
* Creates file C:WINDOWSSYSTEM32systhin.dll.

[ Process/window information ]
* Modifies other process memory.
* Creates a remote thread.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PowerPoint Phishing Trojan, Lance James <=
Previous by Date:  Fenice - Open Media Streaming Server remote BOF exploit, Kaveh Razavi
Next by Date:  Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup, Duncan Simpson
Previous by Thread:  Fenice - Open Media Streaming Server remote BOF exploit, Kaveh Razavi
Next by Thread:  Multiple browsers Windows mailto protocol Office 2003 file attachment exploit, inge . henriksen
Indexes:  [Date] [Thread] [Top] [All Lists]