From owner-freebsd-hackers@FreeBSD.ORG  Thu Mar  4 05:09:24 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 9D74316A4CE; Thu,  4 Mar 2004 05:09:24 -0800 (PST)
Received: from mx13.mail.ru (mx13.mail.ru [194.67.23.56])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id EBB4243D3F; Thu,  4 Mar 2004 05:09:23 -0800 (PST)
	(envelope-from ghos@mail.ru)
Received: from [80.78.105.82] (port=1652 helo=80.78.105.82)
	by mx13.mail.ru with esmtp 
	id 1AysbE-00029c-00; Thu, 04 Mar 2004 16:09:17 +0300
Date: Thu, 4 Mar 2004 12:59:20 +0500
From: Anikin Vyacheslav <ghos@mail.ru>
X-Mailer: The Bat! (v2.00.6)         CD5BF9353B3B7091
X-Priority: 3 (Normal)
Message-ID: <7019017165.20040304125920@mail.ru>
To: freebsd-doc-owner@freebsd.org, freebsd-hackers@freebsd.org
In-Reply-To: <15018118382.20040304124421@mail.ru>
References: <15018118382.20040304124421@mail.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam: Not detected
Subject: Re: ?Virus?/?Trojan? recieved from freebsd-doc@FreeBSD.org
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Anikin Vyacheslav <ghos@mail.ru>
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2004 13:09:24 -0000

In latest mail on 03 MAR, 2004 19:21 +0500 GMT (YEKT), Anikin Vyacheslav
(i.e. me) wrote:

> ...
>
> The attached file is Windows executable (PE format) packed by UPX.
> In import table presents a lot of procedures such as:
> 
>    URLDownLoadToFile
>    GetNetworkParams
>    InternetOpenA
> 
> and others procedures from wininet.dll and wsock32.dll.
> 
> I think, attached file is trojan. If anybody need attached file I can send it.

I scanned this attach file with The AntiViral Toolkit (AVP Kasperski)
with the daily-update (at 4 march 2004) and retrieve report:

# # th, 4 MAR 2004, 10:46:33 +0500 GMT
# 
# Object                        Result       Description
# -----------------------------------------------------------------------------
# <...>\trojan-maybe.exe.xxx    Infected     I-Worm.Bagle.i

Also scanned with DrWeb (daily-update, too). Report looking like that:

# <...>\TROJAN-MAYBE.EXE.XXX packed UPX
# <...>\TROJAN-MAYBE.EXE.XXX infected Win32.HLLM.Beagle.based

--
Anikin Vyacheslav a.k.a ghos                <ghos@mail.ru>