alt.binaries.pictures.boys.retromodShow header Prev. Next
Probable malware installer: Seventeen-year-old-fucked-eve.avi [1/1] Unlimited download news ..
Ronin (nesScitur@husShmail.com) 2009/03/10 16:56

X-No-Archive: yes

On Tue, 10 Mar 2009 13:48:40 GMT, Guan <fua@deb.net> wrote:

> Seventeen-year-old-fucked-eve.avi
> begin 755 Seventeen-year-old-fucked-eve.avi.scr
> M35I0``(````$``\`__\``+@`````````0``:````````````````````````
> M``````````````````````$``+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R
> M86T@;75S="!B92!R=6X@=6YD97(@5VEN,S(-"B0W````````````````````
> M````````````````````````````````````````````````````````````

>   <snip>

> M````````````````````````````````````````````````````````````
> "```
> `
> end

As may be seen from the message text, the decoded file is *NOT*
an .avi, but a screensaver file -- which is executable;  see

     http://filext.com/file-extension/SCR

A quick look at the decoded file with a hex editor shows that
is, at least in part, a Visual Basic program, which may either
be malware itself or download malware from the Net (the URL, if
any, is encrypted).  Whatever it actually is, it is pretending
to be something else -- which seems sufficient reason to impute
bad intent to its poster... and decline to give it a test drive.

An investigation and report by a White Hat with a proper Sandbox
and time on his hands would be most welcome.


Ronin
else

Next Prev. Article List         Favorite