Binary post x-posted to m.p.w.g by Calypso2134

[David H. Lipman]

You may have seen these posts. Well they are ALL the same and they are all Buzus/Steam
type password/data stealers.

http://www.virustotal.com/analisis/60af1392f20b6f76465998f6e4727dcd

a-squared 4.0.0.73 2009.01.08 Virus.Win32.Messen.L!IK
DrWeb 4.44.0.09170 2009.01.08 Trojan.Packed.407
Ikarus T3.1.1.45.0 2009.01.08 Virus.Win32.Messen.L
NOD32 3752 2009.01.08 probably a variant of Win32/PSWTool.NetPass.DF
ViRobot 2009.1.8.1550 2009.01.08 Dropper.Agent.511488

TCP Connection:
85.25.81.136:56539

FTP Connection:
85.25.81.136:21

 

[R. McCarty]

Thanks for the information.

A perfect example of why it's best to use only Plain Text in your email
or Newsgroup client.

 

[David H. Lipman]

From: "R. McCarty" <[email protected]>

| Thanks for the information.

| A perfect example of why it's best to use only Plain Text in your email
| or Newsgroup client.

In this case it was an yEncoded 8 part multi-part binary. Since it was broken into eight
parts, the first 7 parts exceeded Microsoft's maximum attachment posting size and thus
they were blocked from being posted directly to the Microsoft News Server. However the
8th part was small enough to get posted.

 

[G. Morgan]

You may have seen these posts.

Yep. I Plonked the idiot.

Well they are ALL the same and they are all Buzus/Steam
type password/data stealers.

Thanks for the heads-up.

 

[ArameFarpado]

Em Quinta, 8 de Janeiro de 2009 23:14, David H. Lipman escreveu:

You may have seen these posts. Well they are ALL the same and they are
all Buzus/Steam type password/data stealers.

http://www.virustotal.com/analisis/60af1392f20b6f76465998f6e4727dcd

a-squared 4.0.0.73 2009.01.08 Virus.Win32.Messen.L!IK
DrWeb 4.44.0.09170 2009.01.08 Trojan.Packed.407
Ikarus T3.1.1.45.0 2009.01.08 Virus.Win32.Messen.L
NOD32 3752 2009.01.08 probably a variant of Win32/PSWTool.NetPass.DF
ViRobot 2009.1.8.1550 2009.01.08 Dropper.Agent.511488

TCP Connection:
85.25.81.136:56539

FTP Connection:
85.25.81.136:21

this guy doesn't even know how to spread a virus... a simple link directly
to the exe file (hosted on a server somewhere) would be more efective to do
the bullshit he intented.

 

[John John (MVP)]

Thanks, David.

John

 

[Justin]

From: "R. McCarty" <[email protected]>


In this case it was an yEncoded 8 part multi-part binary. Since it was broken into eight
parts, the first 7 parts exceeded Microsoft's maximum attachment posting size and thus
they were blocked from being posted directly to the Microsoft News Server. However the
8th part was small enough to get posted.

Were they posted directly to the MS server, or just get passed along via
another server?

I on;y see the 8th part as well. Even if the whole thing would have
been download the newsreader would have to be set to reassemble them and
then execute the file. The latter wouldn't be possible on my Macbook.
Heh..

yEnc rocks!

 

[J S]

I saw many more than that. Out of curiosity, I opened 2 or 3 of them with
Outlook Express. Both contains garbage text, pretty much like opening a
binary file with a text editor.

Could my PC be infected? My antivirus doesn't warn me. My wild guess is no.
I'm using WinXP with SP3 and post SP3 patches installed. The account I'm
using is a regular acct (not admin, not power user).

 

[David H. Lipman]

From: "J S" <js at yahoo dot com>

| I saw many more than that. Out of curiosity, I opened 2 or 3 of them with
| Outlook Express. Both contains garbage text, pretty much like opening a
| binary file with a text editor.

| Could my PC be infected? My antivirus doesn't warn me. My wild guess is no.
| I'm using WinXP with SP3 and post SP3 patches installed. The account I'm
| using is a regular acct (not admin, not power user).

No, you couldn't be infected. You only saw a small part of the whole binary and you could
NOT have executed anything.