Results 1 to 7 of 7

Thread: Quick warning to all RCE Webmasters.

  1. #1

    Quick warning to all RCE Webmasters.

    Hiya.

    This is a general warning to all RCE webmasters just to check very carefully their e-mail attachments; I'm sorry if this sounds patronising if you do it already ;-) but better safe than sorry.

    There is an individual distributing an attachment by the name of 015200-006 estimated.doc (it purports to be a tutorial which of course you may (if your hands were too quick for your brain, run without thinking)).

    I've literally just done 10 minutes analysis on this and basically its nothing more than one of the ubiquitous sub7 trojans which (haven't verified this yet, connects you unwittingly to some central IRC server), its also unlike many of the other sub7's in that its not really well concealed, (its not packed) and compiled in Delphi.

    It installs itself with hidden attributes as SCam32.exe (get it ;-) ) in your /system directory, there are a few other files too (also hidden), one of them, sci1.dll is plaintext and quite interesting :

    admin@defacers.com
    asl@uofg.com.ua
    boloh@263.net
    crackz__@hotmail.com
    crayser@gmx.net
    emersa@ponferrada.com
    goatass@newavedesign.com
    inet@microsoft.com
    it_tomorrow_today@confused.com
    leszek@dubiel.pl
    lmmendoza@go.com
    lword@world.std.com
    meteo@null.net
    mikicom@teleline.es
    morlac@hotmail.com
    mpietrek@tiac.com
    none@foryou.com
    quotes@call4cms.com
    reg@extreme-dm.com
    sope@rediffmail.com
    tanuki@pannotia.com
    theanalyst@hushmail.com
    vinoprem@yahoo.com
    xiaoxiaoc@8848.net

    This guy doesn't like some people it seems.

    The trojan ensures its run by several entries in the registry, SCam32.exe is nothing more than a dropper for the IRC client Sirc32.exe (hidden inside your /recycled directory), the root class of exefile is also changed to ensure Sirc32.exe gets run everytime you execute something as is one of the RunOnce (can't remember if its that one) keys. It also seems to have several of its own configurable entries in LOCAL_MACHINE/SirCam and below.

    Anyway, I plan a good look inside this and will probably post a document of how this thing really operates in due course, in the interim.....

    Regards and heads up.

    CrackZ.

  2. #2
    goatass
    Guest
    wow I'm on the list, I'm touched

    CrackZ buddy thanks for the warning and I'm looking forward to see your paper on it, so don't be a lazy limie and do it :P

    goatass
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    the analyst / ucf
    Guest
    goatass (07-19-2001 13:40):
    wow I'm on the list, I'm touched

    CrackZ buddy thanks for the warning and I'm looking forward to see your paper on it, so don't be a lazy limie and do it :P

    goatass
    im on it too
    wow, im gonna cry touched too
    heh
    can't wait to see crackz's lazy powered paper on it ;-)
    i couldn't get that mail yet, sadly..
    thx for the warning CrackZ

    best regards all,

    the analyst
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Duelist_
    Guest
    http://www.protectorplus.com/virus_info/worms/sircam.htm

    Could that have anything to do with it?

    Cheers,

    Duelist
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    That'll teach me to post on this board BEFORE searching the web ;-).

    It looks pretty uhm much like this is my nasty, didn't find the C:\My Documents part though but I'm sure thats just cosmetic, might still be worth some analysis just to *see*.

    The warning still stands ; /me goes off to re-acquaint himself with www.google.com.

    Regards

    CrackZ.

  6. #6
    Sope
    Guest
    I too on the list
    Thanks Crackz for the warning.
    Warm Regards to all!

    Sope
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    fuckin_furious_splaj
    Guest
    and I just got it 20+ times from a guy called Gianluca (libero.it) regarding some help he needs with EasyCD creator and also Lettara generica gengy

    f**** you wap ass hole i'm comin after you buddy . yes I can see your fu***** e-mail irc jenji@libero.it

    F***** W****** !!! - he's just a lamer

    btw tnx CrackZ + ZoneAlarm Pro
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Quick ASPRed Q
    By kyrios in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: May 15th, 2003, 12:18
  2. Help with Quick ASM Translation.
    By Adri_Magnon in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: June 28th, 2002, 19:51
  3. Quick One
    By peterg70 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 3rd, 2002, 15:20
  4. Quick Time 4
    By SciTech in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: July 4th, 2001, 02:29
  5. Quick Q on Caspr
    By NchantA in forum Tools of Our Trade (TOT) Messageboard
    Replies: 4
    Last Post: January 3rd, 2001, 06:20

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •