Path: news.nzbot.com!spool1.sonic-news.com!pullnews.sonic-news.com!not-for-mail
From: nesScitur@husShmail.com (Ronin)
Newsgroups: alt.binaries.pictures.boys.retromod
Subject: Probable malware installer: Seventeen-year-old-fucked-eve.avi [1/1]
Date: Tue, 10 Mar 2009 22:56:03 GMT
Message-ID: <49b6ebce.67928335@127.0.0.1>
References: <MPG.24207fde8171092989887@news.easynews.com>
X-Newsreader: Forte Free Agent 1.21/32.243
Lines: 36
Organization: Unlimited download news at news.astraweb.com
NNTP-Posting-Host: cab7ed3c.news.astraweb.com
X-Trace: DXC=A18QWDGcDZSaaSDeVe\e2]L?0kYOcDh@Z@U:okjZ3^A\:<F<ZjFQ@:^m?GoW`8]WlUNTmXjl@0iIT7PjaQ2LgX@W
Xref: news.nzbot.com alt.binaries.pictures.boys.retromod:890
X-No-Archive: yes
On Tue, 10 Mar 2009 13:48:40 GMT, Guan <fua@deb.net> wrote:
> Seventeen-year-old-fucked-eve.avi
> begin 755 Seventeen-year-old-fucked-eve.avi.scr
> M35I0``(````$``\`__\``+@`````````0``:````````````````````````
> M``````````````````````$``+H0``X?M`G-(;@!3,TAD)!4:&ES('!R;V=R
> M86T@;75S="!B92!R=6X@=6YD97(@5VEN,S(-"B0W````````````````````
> M````````````````````````````````````````````````````````````
> <snip>
> M````````````````````````````````````````````````````````````
> "```
> `
> end
As may be seen from the message text, the decoded file is *NOT*
an .avi, but a screensaver file -- which is executable; see
http://filext.com/file-extension/SCR
A quick look at the decoded file with a hex editor shows that
is, at least in part, a Visual Basic program, which may either
be malware itself or download malware from the Net (the URL, if
any, is encrypted). Whatever it actually is, it is pretending
to be something else -- which seems sufficient reason to impute
bad intent to its poster... and decline to give it a test drive.
An investigation and report by a White Hat with a proper Sandbox
and time on his hands would be most welcome.
Ronin
else
|
|