[vault] Malware in the Boost Vault!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Sexy Live.zip", uploaded to the Vault on March 31st by "gr7ne2009", is apparently some kind of Trojan masquerading as a Windows screen saver, according to various antivirus programs (checked with both virusscan.jotti.org and www.virustotal.com). Who has access to remove it? - -- Chad Nelson Oak Circle Software, Inc. * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwUA0YACgkQp9x9jeZ9/wRLTACg7MglGcYo8kHUW0542YvJexf6 N8cAoPgBzbA3zhZB064rsFMHLf/s8c9f =KL39 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
"Sexy Live.zip", uploaded to the Vault on March 31st by "gr7ne2009", is apparently some kind of Trojan masquerading as a Windows screen saver, according to various antivirus programs (checked with both virusscan.jotti.org and www.virustotal.com). Who has access to remove it?
s.php4 and r.php4 look very suspicious as well. - -- Chad Nelson Oak Circle Software, Inc. * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwUBXsACgkQp9x9jeZ9/wSsFgCfQiVbcbAXmD2RZFjxg8LzJMvJ jfUAnRqb++aaafrkZXeved4MoxMLIZ8w =WLjV -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/12/2010 06:08 PM, Chad Nelson wrote:
"Sexy Live.zip", uploaded to the Vault on March 31st by "gr7ne2009", is apparently some kind of Trojan masquerading as a Windows screen saver, according to various antivirus programs (checked with both virusscan.jotti.org and www.virustotal.com). Who has access to remove it?
s.php4 and r.php4 look very suspicious as well.
There are four other files uploaded by "gr7ne2009" that all look like malware of some sort too, maybe the same as the first one I mentioned above. c99.php4 doesn't look like malware, but it was uploaded by "bimokh", who uploaded s.php4. A closer examination might be warranted. Any way to auto-scan all the files there? Should I keep looking? - -- Chad Nelson Oak Circle Software, Inc. * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwUCAgACgkQp9x9jeZ9/wQgCgCfchWAvAfqMtusKIYWhuVn4Yuv o1gAn1wg3upbqDQHTTSarwlB5P3FBKn/ =18V8 -----END PGP SIGNATURE-----
On 6/12/2010 5:19 PM, Chad Nelson wrote:
Any way to auto-scan all the files there? Should I keep looking?
Yes, please keep looking.. it's not easy to auto-anything in the vault. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org (msn) - grafik/redshift-software.com -- 102708583/icq - grafikrobot/aim,yahoo,skype,efnet,gmail
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/12/2010 06:21 PM, Rene Rivera wrote:
Any way to auto-scan all the files there? Should I keep looking?
Yes, please keep looking.. it's not easy to auto-anything in the vault.
"Tools/WebCam Bluetooth.exe" -- definitely malware. (user "Admin") No time to look further right now. If some malware author put files into random directories (like that one), it'll take some time to find them. If I have a chance, I'll look at the other directories later tonight. - -- Chad Nelson Oak Circle Software, Inc. * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwUDmYACgkQp9x9jeZ9/wRqIACfRE96wwHJHP5mp6Qw+NH65/fD X2cAnjMFXdIcDBnkLO3DgJepzXML8k9n =KXKK -----END PGP SIGNATURE-----
On 6/12/2010 5:47 PM, Chad Nelson wrote:
No time to look further right now. If some malware author put files into random directories (like that one), it'll take some time to find them. If I have a chance, I'll look at the other directories later tonight.
I think I looked through all of them now.. Found a few more bad files, and users. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org (msn) - grafik/redshift-software.com -- 102708583/icq - grafikrobot/aim,yahoo,skype,efnet,gmail
On 6/12/2010 4:59 PM, Chad Nelson wrote:
"Sexy Live.zip", uploaded to the Vault on March 31st by "gr7ne2009", is apparently some kind of Trojan masquerading as a Windows screen saver, according to various antivirus programs (checked with both virusscan.jotti.org and www.virustotal.com). Who has access to remove it?
User and all their files I could find removed now.. And a fair number of other files by others that where definitely bogus also removed. Thanks for reporting this.. And if you find more please let me know. -- -- Grafik - Don't Assume Anything -- Redshift Software, Inc. - http://redshift-software.com -- rrivera/acm.org (msn) - grafik/redshift-software.com -- 102708583/icq - grafikrobot/aim,yahoo,skype,efnet,gmail
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/12/2010 06:20 PM, Rene Rivera wrote:
"Sexy Live.zip", uploaded to the Vault on March 31st by "gr7ne2009", is apparently some kind of Trojan masquerading as a Windows screen saver, according to various antivirus programs (checked with both virusscan.jotti.org and www.virustotal.com). Who has access to remove it?
User and all their files I could find removed now.. And a fair number of other files by others that where definitely bogus also removed. Thanks for reporting this.. And if you find more please let me know.
Thanks. Everything else (most judged solely by filenames and descriptions) looks legit. I only looked at files in the main directory though, there are a number of subdirectories. There's one directory that caught my eye ("Program to search for channels Nationali", which is very similar to the description for the "Sexy Live.zip" file), but if it had any contents, you'd already deleted them by the time I looked. - -- Chad Nelson Oak Circle Software, Inc. * * * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwUDG4ACgkQp9x9jeZ9/wSFMACgsdY9iPoibQPAHVoz1LBOORLA +3kAn16kPag+OTnvK4J4hcgkZke+fSP8 =U3GE -----END PGP SIGNATURE-----
participants (2)
-
Chad Nelson -
Rene Rivera