par7133
2005-11-13 22:16:31 UTC
They were named Sexy, now Postcard or Postcards
some urls to take attention to
http://www.funnycards.nm.ru/
http://www.digitalpcard.nm.ru
http://www.cardstoyou.nm.ru
http://www.getpostcard.i8.com
redirects to http://www.iframetraff.biz/dl/ adv669.php with some param
that take to the trojan
after one intrusion in their "postcards" group to gain some
info
about their ftp site (e.g. credentials), suddenly all users disappered
one after one and reappeared with this figures:
ICQ Number : 232-953-314
Name: Nick Bell 7
NickName: Programmer a
Address: USA
ICQ Number : 311-987-856
Name: Nick Bell G
NickName: Programmer a
Address: USA
ICQ Number : 340-815-362
Name: Nick Bell 6
NickName: Programmer b
Address: USA
ICQ Number : 323-107-161
Name: Nick Bell 2
NickName: Programmer c
Address: USA
ICQ Number : 285-025-623
Name: Nick Bell Z
NickName: Programmer e
Address: USA
ICQ Number : 227-819-105
Name: Nick Bell P
NickName: Programmer E
Address: USA
ICQ Number : 207-871-737
Name: Nick Bell Z
NickName: Programmer e
Address: USA
ICQ Number : 206-431-342
Name: Nick Bell I
NickName: Programmer K
Address: USA
ICQ Number : 338-270-388
Name: Nick Bell w
NickName: Programmer L
Address: USA
ICQ Number : 287-868-840
Name: Nick Bell j
NickName: Programmer M
Address: USA
ICQ Number : 339-921-555
Name: Nick Bell P
NickName: Programmer N
Address: USA
ICQ Number : 223-922-380
Name: Nick Bell t
NickName: Programmer O
Address: USA
ICQ Number : 319-762-274
Name: Nick Bell W
NickName: Programmer P
Address: USA
ICQ Number : 316-855-607
Name: Nick Bell A
NickName: Programmer R
Address: USA
ICQ Number : 285-510-533
Name: Nick Bell H
NickName: Programmer x
Address: USA
ICQ Number : 229-925-457
Name: Nick Bell I
NickName: Programmer X
Address: USA
paying attention to make me know about their existence..
this grant them the easy knowledge of each other in their group
from that some considerations:
- each account is related to one member of the group, so more people
- if you write to one programmer he can answer from one of his
*postcard* account
so one or more virtual machines or ad-hoc software for member
in addition:
- they are in one or more usa gmt time zone
- they are online only during office time
- searching for their user *postcard* to add to my list for this doc
the icq server blocked my searches (with attention to make me
understand it)
Now I'm connected with my proxy..
I would want to add you.. don't use icq because this is a very bad
commercial thing
For virus detail:
JV/Shinwow -- http://vil.nai.com/vil/content /v_101870.htm
Exploit-ByteVerify -- http://vil.nai.com/vil/content /v_100261.htm
Exploit-ANIfile -- http://vil.nai.com/vil/content /v_130604.htm
VBS/Inor -- http://vil.nai.com/vil/content /v_100598.htm
Downloader-YD -- http://vil.nai.com/vil/content /v_132763.htm
Panda -- Trj/Downloader.GCS
Sophos -- Troj/Harnig-A
Exploitation References:
Flaw in Microsoft VM Could Enable System Compromise (816093)
http://www.microsoft.com/techn et/security/bulletin/MS03-011. mspx
Vulnerability in Cursor and Icon Format Handling Could Allow Remote
Code Execution (891711)
http://www.microsoft.com/techn et/security/bulletin/MS05-002. mspx
Note: The file loadadv400.exe was submitted to *all* AV companies and
signatures are being
created.
some other adware tools installed by this exploit:
C:\WINDOWS\SYSTEM\WVNNET16.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\CXYPTEXT.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\DQRAWEX.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\NWTOS.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\NOTAPI.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\UWDM32.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\iactl.dll Adware-Look2Me
Spy Sheriff
Desktop.Explorer - Key Value Forced change
MZS.Spoolserver32
and other uninstalled before this doc
for more info:
http://groups.google.it/group/microsoft.public.security.virus/browse_thread/thread/cb8c5b1cebb8e795/0aee6a151789717b?lnk=st&q=icq%20trojan&rnum=1&hl=it&
some urls to take attention to
http://www.funnycards.nm.ru/
http://www.digitalpcard.nm.ru
http://www.cardstoyou.nm.ru
http://www.getpostcard.i8.com
redirects to http://www.iframetraff.biz/dl/ adv669.php with some param
that take to the trojan
after one intrusion in their "postcards" group to gain some
info
about their ftp site (e.g. credentials), suddenly all users disappered
one after one and reappeared with this figures:
ICQ Number : 232-953-314
Name: Nick Bell 7
NickName: Programmer a
Address: USA
ICQ Number : 311-987-856
Name: Nick Bell G
NickName: Programmer a
Address: USA
ICQ Number : 340-815-362
Name: Nick Bell 6
NickName: Programmer b
Address: USA
ICQ Number : 323-107-161
Name: Nick Bell 2
NickName: Programmer c
Address: USA
ICQ Number : 285-025-623
Name: Nick Bell Z
NickName: Programmer e
Address: USA
ICQ Number : 227-819-105
Name: Nick Bell P
NickName: Programmer E
Address: USA
ICQ Number : 207-871-737
Name: Nick Bell Z
NickName: Programmer e
Address: USA
ICQ Number : 206-431-342
Name: Nick Bell I
NickName: Programmer K
Address: USA
ICQ Number : 338-270-388
Name: Nick Bell w
NickName: Programmer L
Address: USA
ICQ Number : 287-868-840
Name: Nick Bell j
NickName: Programmer M
Address: USA
ICQ Number : 339-921-555
Name: Nick Bell P
NickName: Programmer N
Address: USA
ICQ Number : 223-922-380
Name: Nick Bell t
NickName: Programmer O
Address: USA
ICQ Number : 319-762-274
Name: Nick Bell W
NickName: Programmer P
Address: USA
ICQ Number : 316-855-607
Name: Nick Bell A
NickName: Programmer R
Address: USA
ICQ Number : 285-510-533
Name: Nick Bell H
NickName: Programmer x
Address: USA
ICQ Number : 229-925-457
Name: Nick Bell I
NickName: Programmer X
Address: USA
paying attention to make me know about their existence..
this grant them the easy knowledge of each other in their group
from that some considerations:
- each account is related to one member of the group, so more people
- if you write to one programmer he can answer from one of his
*postcard* account
so one or more virtual machines or ad-hoc software for member
in addition:
- they are in one or more usa gmt time zone
- they are online only during office time
- searching for their user *postcard* to add to my list for this doc
the icq server blocked my searches (with attention to make me
understand it)
Now I'm connected with my proxy..
I would want to add you.. don't use icq because this is a very bad
commercial thing
For virus detail:
JV/Shinwow -- http://vil.nai.com/vil/content /v_101870.htm
Exploit-ByteVerify -- http://vil.nai.com/vil/content /v_100261.htm
Exploit-ANIfile -- http://vil.nai.com/vil/content /v_130604.htm
VBS/Inor -- http://vil.nai.com/vil/content /v_100598.htm
Downloader-YD -- http://vil.nai.com/vil/content /v_132763.htm
Panda -- Trj/Downloader.GCS
Sophos -- Troj/Harnig-A
Exploitation References:
Flaw in Microsoft VM Could Enable System Compromise (816093)
http://www.microsoft.com/techn et/security/bulletin/MS03-011. mspx
Vulnerability in Cursor and Icon Format Handling Could Allow Remote
Code Execution (891711)
http://www.microsoft.com/techn et/security/bulletin/MS05-002. mspx
Note: The file loadadv400.exe was submitted to *all* AV companies and
signatures are being
created.
some other adware tools installed by this exploit:
C:\WINDOWS\SYSTEM\WVNNET16.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\CXYPTEXT.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\DQRAWEX.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\NWTOS.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\NOTAPI.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\UWDM32.DLL Adware-Look2Me
C:\WINDOWS\SYSTEM\iactl.dll Adware-Look2Me
Spy Sheriff
Desktop.Explorer - Key Value Forced change
MZS.Spoolserver32
and other uninstalled before this doc
for more info:
http://groups.google.it/group/microsoft.public.security.virus/browse_thread/thread/cb8c5b1cebb8e795/0aee6a151789717b?lnk=st&q=icq%20trojan&rnum=1&hl=it&