postcard.gif.exe

"Virus Guy" <Virus RemoveThis @Guy.com> wrote in message
news:47766824.65CAE641@Guy.com...
> Here's something recent that is an SFX RAR archive.
> Don't download this unless you know what you're doing.
> hxxp://bioscor-j.com/~norbil/postcard.gif.exe

Did you submit it to Virus Total?
Here's a more recent report on Zapchast from Sunbelt:
Backdoor.IRC.Zapchast:
Last updated on Nov 7 2007
http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.....Zapcha

-jen
 >> Stay informed about: postcard.gif.exe 

On Sat, 29 Dec 2007 12:10:21 -0500, "jen" <jen RemoveThis @example.com> wrote:

>"Virus Guy" <Virus RemoveThis @Guy.com> wrote in message
>news:47766824.65CAE641@Guy.com...
>> Here's something recent that is an SFX RAR archive.
>> Don't download this unless you know what you're doing.
>> hxxp://bioscor-j.com/~norbil/postcard.gif.exe
>
>How recent? Maybe a new variant...
>BKDR_ZAPCHAST.BB:
>Initial samples received on: Dec 6, 2005
>http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_ZAPCHAST.BB&VSect=T
>
>-jen
>
hey all.. nod32 v3 found this on the file...

Scan Log
Version of virus signature database: 2755 (20071229)
Date: 12/29/2007 Time: 12:43:05 PM
Scanned disks, folders and files: C:\Documents and
Settings\Roadkil\Desktop\postcard.gif.exe
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » UPX
v12_m2 » RAR » script.ini - probably a variant of IRC/Cloner.BI trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » UPX
v12_m2 » RAR » mirc.ini - IRC/Zapchast trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » UPX
v12_m2 » RAR » csrss.exe - Win32/Mirc_based trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » UPX
v12_m2 » RAR » sup.exe - BAT/Netstop.NAA trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » UPX
v12_m2 » RAR » a.reg - IRC/Cloner.BI trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » RAR »
script.ini - probably a variant of IRC/Cloner.BI trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » RAR »
mirc.ini - IRC/Zapchast trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » RAR »
csrss.exe - Win32/Mirc_based trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » RAR »
sup.exe - BAT/Netstop.NAA trojan
C:\Documents and Settings\Roadkil\Desktop\postcard.gif.exe » RAR »
a.reg - IRC/Cloner.BI trojan
Number of scanned objects: 36
Number of threats found: 10
Time of completion: 12:43:12 PM Total scanning time: 7 sec (00:00:07)

Roadkil
"Quis custodiet ipsos custodes"
 >> Stay informed about: postcard.gif.exe 

Virus Guy wrote:

> Don't download this unless you know what you're doing.
> hxxp://bioscor-j.com/~norbil/postcard.gif.exe

I see that file is still being hosted at the above location.

De-compression and submission of each internal file of that archive to
VT gives the following results.

Basically, this is Zapchast. This package seems to have been created
on or after Dec 7/2007 based on some of the time stamps.

Interesting that the following 2 files aren't detected by anyone:

SVCHOST.EXE
INSTSRV.EXE

Can someone explain how to use the following to snoop on the hackers?

ALIASES INI 11 11-21-06 4:47p
REMOTE INI 427 12-07-07 9:51p
SERVERS INI 837 12-07-07 9:48p
USERS INI 427 12-07-07 9:50p
ID3NT TXT 253,196 08-15-07 11:02p
NICKS TXT 294,654 10-03-07 7:08a


----------------------------

Details:

A_FRIEND EXE 476,103 11-19-06 5/32
packers: ASPack, Swf2Exe
http://www.virustotal.com/analisis/f685ccb1f0eb813c29b71cadf87213f6
- Authentium "is a destructive program"
- F-Prot W32/Trojan.BNKQ
- F-Secure Backdoor:W32/Zapchast.DB
- Ikarus Backdoor.Win32.Ciadoor.13
- Rising Backdoor.Agent.iak

CSRSS EXE 593,262 03-16-07 27/32
packers: PE_Patch, MewBundle, MEW
http://www.virustotal.com/analisis/7b842992a59094cc48bd6e3a38c092e9
- AntiVir BDS/mIRC-593262.A
- Avast Win32:Trojan-gen {Other}
- AVG BackDoor.Generic7.MGW
- BitDefender Trojan.Mirchack.A
- CAT-QuickHeal W32.Brontok.Q
- ClamAV PUA.Packed.MEW-1
- eSafe Win32.IRC.Bot
- FileAdvisor High threat detected
- Fortinet Misc/Mirchack
- F-Prot W32/Trojan5.ACB
- F-Secure Backdoor.Win32.mIRC-based
- Ikarus not-a-virus:Client-IRC.Win32.mIRC.601
- Kaspersky not-a-virus:Client-IRC.Win32.mIRC.601
- McAfee IRC/Flood.gen.e
- Microsoft Trojan:Win32/Zapchast
- NOD32v2 Win32/Mirc_based
- Norman Suspicious_M.gen
- Panda Suspicious file
- Prevx1 Generic.Malware
- Rising Backdoor.mIRC-based.bj
- Sophos Troj/Mirchack-A
- Sunbelt Backdoor.Irc.Zapchast.MN
- Symantec Backdoor.IRC.Bot
- TheHacker W32/Behav-Heuristic-066
- VBA32 BackDoor.IRC.based
- VirusBuster Backdoor.MIRC-based.X
- Webwasher Trojan.Backdoor.mIRC-593262.A


INSTSRV EXE 32,256 04-18-03
http://www.virustotal.com/analisis/bd7a068b0c3682018a76b8df8edaab40
- no packers listed
- no threats detected by any AV package


MIRC ICO 5,694 11-07-04 1/32
http://www.virustotal.com/analisis/281de55931bf32dd23cc3487a5b92d4a
- Sunbelt Backdoor.IRC.Zapchast


SUP EXE 149,742 03-16-07 28/32
(no packers listed)
http://www.virustotal.com/analisis/c77ff5d66b829c8d50677c852a931964
- AntiVir DR/Runner.B
- Avast Win32:Trojan-gen {Delphi}
- AVG Generic_c.GU
- BitDefender Trojan.ZapchServ.A
- CAT-QuickHeal Trojan.Runner.b
- ClamAV Trojan.Dropper-3446
- DrWeb Trojan.Runner.15
- eSafe Win32.Trojan
- eTrust-Vet Win32/IRCFlood
- Ewido Trojan.Runner.i
- FileAdvisor High threat detected
- Fortinet BAT/Runner.B!tr
- F-Secure Trojan.BAT.Runner.i
- Ikarus Trojan.BAT.Runner.i
- Kaspersky Trojan.BAT.Runner.i
- McAfee Generic.dx
- Microsoft Trojan:Win32/VNCKill.A
- NOD32v2 BAT/Netstop.NAA
- Panda Bck/mIRCBased.BC
- Prevx1 TROJAN.ZAPCHSERV.A
- Rising Worm.BAT.CopyRun.a
- Sophos Troj/Agent-FWS
- Sunbelt Trojan.BAT.Runner.b
- Symantec Trojan Horse
- TheHacker Trojan/Dropper.QuickBatch.b
- VBA32 Trojan.BAT.Runner.b
- VirusBuster 0 Trojan.BAT.Runner.S
- Webwasher-Gateway Trojan.Dropper.Runner.B


MIRC INI 3,130 12-07-07 5/32
http://www.virustotal.com/analisis/aa2f05550f3af1c94979a29f96c452be
- AhnLab-V3 mIRC/Zapchast
- ClamAV Trojan.IRC-Script-33
- eTrust-Vet MIRC/IRCFlood
- Ikarus Backdoor.IRC.Cloner.ae#2
- NOD32v2 IRC/Zapchast

CONTROL INI 61 11-19-06 1/32
http://www.virustotal.com/analisis/19e5d3973e14417d17dfe35573b44f3f
- Sunbelt Trojan.mIRC.Flood

SCRIPT INI 15,586 10-03-07 8/32
http://www.virustotal.com/analisis/8669fc4f8d396e89705c625173add5c4
- AntiVir TR/IRC.Zapchast
- Avast Win32:Zapchast-CR
- AVG IRC/BackDoor.Flood
- CAT-QuickHeal MIRC/Zapchast
- eTrust-Vet MIRC/IRCFlood
- Ikarus Backdoor.IRC.Zapchast
- NOD32v2 probably a variant of IRC/Cloner.BI
- Webwasher Trojan.IRC.Zapchast

A REG 556 03-16-07 11/32
http://www.virustotal.com/analisis/ba28333083620dc9d5582dee4a7e5cdc
packers: Unicode
- AntiVir IRC/Cloner.BI
- Authentium REG/Zapchast.E
- Avast VBS:Malware-gen
- BitDefender Backdoor.Cloner.BI
- eTrust-Vet REG/IRCFlood
- Ewido Backdoor.Cloner.bi
- F-Prot REG/Zapchast.E
- Ikarus Backdoor.Cloner.BI
- NOD32v2 IRC/Cloner.BI
- Symantec IRC Trojan
- Webwasher Script.Cloner.BI


POPUPS TXT 2,639 11-14-05 1/32
- file was previously analyzed on 7/9/2007 (1/29 detection rate)
- Detected as Zapchest by Ikarus
- Still detected as Zapchest by Ikarus


SVCHOST EXE 8,192 04-18-03 0/32
- file was last analyzed on 11/20/2007
- detection rate was 1/32 (webwasher)
- today, detection rate is zero (0)
- strange file, has internal references to:
- C:\OS2\PMSHELL.EXE
- srvany.pdb
- 1-2-3 Preloader Copyright (C) Rational Systems
- Phar Lap Software, Inc.


nothing detected:

ALIASES INI 11 11-21-06 4:47p
REMOTE INI 427 12-07-07 9:51p
SERVERS INI 837 12-07-07 9:48p
USERS INI 427 12-07-07 9:50p
ID3NT TXT 253,196 08-15-07 11:02p
NICKS TXT 294,654 10-03-07 7:08a
 >> Stay informed about: postcard.gif.exe 

This message is not archived
 >> Stay informed about: postcard.gif.exe 

This message is not archived
 >> Stay informed about: postcard.gif.exe 

Virus Guy <Virus.TakeThisOut@Guy.com> wrote in news:4777FD7D.36C071D5@Guy.com:

> Virus Guy wrote:
>
>> Don't download this unless you know what you're doing.
>> hxxp://bioscor-j.com/~norbil/postcard.gif.exe
>
> I see that file is still being hosted at the above location.
>
> De-compression and submission of each internal file of that archive to
> VT gives the following results.

Instsrv.exe is a legitimate file. It's ZapChast or a mirc worm variant...
*shrug*. I've collected 2 different variants so far, one posing as a
postcard and the other posing as a rather large system service file.
svhost.exe; both contained those files inside.

--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2e
Email.: bughunter.dustin.TakeThisOut@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt
 >> Stay informed about: postcard.gif.exe