Thx, yeah this is one of 3 that I have seen for 49.4 released under my
name.
Stephan the |337 and his amazing VB skills.
Considering countermeasures.
Yes, if I make loader for 49.4 public I will post hash here.
I'm distracted by other things right now.
sf<><
"2learn" <learner400@[EMAIL PROTECTED]
> wrote in message
news:a5d48cfa.0306261721.2197e7b3@[EMAIL PROTECTED]
> Greetings Stonefisk,
>
> I've also found another virus everyone should be made aware of,
> labeled for the newly released V49.4. Someone used that dam gay sh*t
> crap trogen and added it to your v48.1 fix and labeled it for the new
> 49.4, Shown below:
>
> Name:
> eDonkey 0.49.4 UPLOAD CRACK - Anti Adbanner - noratio hack - unlimited
> Speed - orginal StoneFisk relase .zip
>
> hash: 623fecdc6b1ac355cd7060d7f4bf1307 (Size: 1.02Mb)
>
>
> Stonefisk, is it possible to post the actual original hash value for
> when the real new release of V49.4 fix will become avaliable from you?
> This is so that we get it from a reliable source. And also will know
> which is the correct one or wrong one for the new released version
> 49.4...
>
> PS: -Do you have an official website for your releases? Some other
> safe place to D/L?
>
>
> Thanks, keep up the great work..
>
>
>
>
> Learner
>
>
>
>
> "sf" <rhshse@[EMAIL PROTECTED]
> wrote in message
news:<20030610131002.AD00F5F20E@[EMAIL PROTECTED]
>...
> > Trojan alert..... who cares ? I do because this has been released
under
> > my name and is joined to an executable that I wrote.
> > I just need to declare somewhere that this is not my mojo, this list
is
> > good as any to do that. And you can have a laugh too.
> >
> > Details:
> > Released on edonkey network as an upload crack. (It does contain and
run
> > the working patch I released)
> >
> > Name :
> > eDonkey_v.48.1_CRACK_UPLOAD_ADBANNER_(original_stonefisk_release)
this
> > patch is packing by StoneFisk.rar
> >
> > hash:
> > 7b517398b5c358dde4cc9c9d57f42950
> >
> > size:
> > 1.15Mb
> >
> > Binder used :
> > "GP-EXEJOINER By GigantPro".
> > GigantPro's **** (err I mean work) can be found here
> > http://de.geocities.com/GPWare/Zite.htm
> > All coded in l337 visual basic !
> > This binder can join only 2 files, inthis case these two files are :
> > 1) my patch release @[EMAIL PROTECTED]
a size of only 16896 bytes (Coded it in win32
asm
> > as always).
> > 2) A mystery file weighing in @[EMAIL PROTECTED]
a whopping 1219583 bytes.
> >
> > The mystery file (TROJAN) has been compressed/packed with UPX
version
> > 1.20
> > Unpacked the mystery file weighs in at 1544192 bytes. (note low
> > compression ratio).
> > The mystery file carries it's own icon (cd symbol) which is one of
the 5
> > icons on offer in the
> > GP-EXEJOINER tool.
> >
> > The trojan will unbind and copy itself to windows system32 folder
under
> > the name "cdrunxp.exe".
> > Initally the trojan will set the following keys :
> >
> > \HKEY_CLASSES_ROOT\exefile\shell\open\command
> > and
> > \HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
> > with the default key value of :
> > C:\WINDOWS\system32\cdrunxp.exe "%1" %*
> >
> > >From then on, everytime window file explorer is run then so is
> > cdrunxp.exe.
> > cdrunxp.exe queries a bunch of reg keys including the calander and
VB
> > "cdate" key, which holds current date.
> >
> > This trojan has a date activate payload.
> > I have only given payload a brief examination and not fully aware of
its
> > function. It appears to consist of:
> > Changing various reg keys that will effect iexplorer.
> > A activate an exe called gayslide.exe (or iexplorer.gayslide.exe)
which
> > likely is a gay slide show which display 7 images that are packed
along
> > with the trojan.
> > This exe may be then registered as a process.
> > A gay.mpg movie appear to me present also or at least referenced.
> > internet explorer' start page is set to "http://www.findgaypix.com"
> > "GAY *** IS GREAT" is set as a title.
> > Desktop wallpaper is changed.
> > A file called xtra.bmp is displayed on start up via a registry key
set
> > in /currentverion/run.
> >
> > ..like what the hell is the point of this **** ?
> >
> > Trojan was coded by a German using visual basic. His seems to be
named
> > "Stephan".
> >
> > Up to date Norton antivirus detects no part of this **** whatso
ever,
> > not even GigantPro's crappy joiner.
> >
> > Anyway...the trojan is not mine. I did not release it.
> > My last official edonkey patch details :
> > name :
> >
eDonkey_v.48.1_CRACK_UPLOAD_ADBANNER_(original_stonefisk_release).rar
> > hash: 22e3715a4a47d7bac6f6f94b80a45b29
> > size : 6kb
> >
> > Stonefisk <><
|
