PDA

View Full Version : Quick warning to all RCE Webmasters.


CrackZ
July 19th, 2001, 13:51
Hiya.

This is a general warning to all RCE webmasters just to check very carefully their e-mail attachments; I'm sorry if this sounds patronising if you do it already ;-) but better safe than sorry.

There is an individual distributing an attachment by the name of 015200-006 estimated.doc (it purports to be a tutorial which of course you may (if your hands were too quick for your brain, run without thinking)).

I've literally just done 10 minutes analysis on this and basically its nothing more than one of the ubiquitous sub7 trojans which (haven't verified this yet, connects you unwittingly to some central IRC server), its also unlike many of the other sub7's in that its not really well concealed, (its not packed) and compiled in Delphi.

It installs itself with hidden attributes as SCam32.exe (get it ;-) ) in your /system directory, there are a few other files too (also hidden), one of them, sci1.dll is plaintext and quite interesting :

admin@defacers.com
asl@uofg.com.ua
boloh@263.net
crackz__@hotmail.com
crayser@gmx.net
emersa@ponferrada.com
goatass@newavedesign.com
inet@microsoft.com
it_tomorrow_today@confused.com
leszek@dubiel.pl
lmmendoza@go.com
lword@world.std.com
meteo@null.net
mikicom@teleline.es
morlac@hotmail.com
mpietrek@tiac.com
none@foryou.com
quotes@call4cms.com
reg@extreme-dm.com
sope@rediffmail.com
tanuki@pannotia.com
theanalyst@hushmail.com
vinoprem@yahoo.com
xiaoxiaoc@8848.net

This guy doesn't like some people it seems.

The trojan ensures its run by several entries in the registry, SCam32.exe is nothing more than a dropper for the IRC client Sirc32.exe (hidden inside your /recycled directory), the root class of exefile is also changed to ensure Sirc32.exe gets run everytime you execute something as is one of the RunOnce (can't remember if its that one) keys. It also seems to have several of its own configurable entries in LOCAL_MACHINE/SirCam and below.

Anyway, I plan a good look inside this and will probably post a document of how this thing really operates in due course, in the interim.....

Regards and heads up.

CrackZ.

goatass
July 19th, 2001, 15:40
wow I'm on the list, I'm touched

CrackZ buddy thanks for the warning and I'm looking forward to see your paper on it, so don't be a lazy limie and do it :P

goatass

the analyst / ucf
July 19th, 2001, 17:20
Quote:
goatass (07-19-2001 13:40):
wow I'm on the list, I'm touched

CrackZ buddy thanks for the warning and I'm looking forward to see your paper on it, so don't be a lazy limie and do it :P

goatass


im on it too
wow, im gonna cry touched too
heh
can't wait to see crackz's lazy powered paper on it ;-)
i couldn't get that mail yet, sadly..
thx for the warning CrackZ

best regards all,

the analyst

Duelist_
July 19th, 2001, 21:18
http://www.protectorplus.com/virus_info/worms/sircam.htm

Could that have anything to do with it?

Cheers,

Duelist

CrackZ
July 20th, 2001, 01:50
That'll teach me to post on this board BEFORE searching the web ;-).

It looks pretty uhm much like this is my nasty, didn't find the C:\My Documents part though but I'm sure thats just cosmetic, might still be worth some analysis just to *see*.

The warning still stands ; /me goes off to re-acquaint himself with www.google.com.

Regards

CrackZ.

Sope
July 21st, 2001, 02:15
I too on the list
Thanks Crackz for the warning.
Warm Regards to all!

Sope

fuckin_furious_splaj
July 29th, 2001, 08:00
and I just got it 20+ times from a guy called Gianluca (libero.it) regarding some help he needs with EasyCD creator and also Lettara generica gengy

f**** you wap ass hole i'm comin after you buddy . yes I can see your fu***** e-mail irc jenji@libero.it

F***** W****** !!! - he's just a lamer

btw tnx CrackZ + ZoneAlarm Pro