| this doc the vulnerability and patch that start the trojan:
| http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx

That is a bad URL and no longer exists.

JV/Shinwow -- http://vil.nai.com/vil/content/v_101870.htm
Exploit-ByteVerify -- http://vil.nai.com/vil/content/v_100261.htm
Exploit-ANIfile -- http://vil.nai.com/vil/content/v_130604.htm
VBS/Inor -- http://vil.nai.com/vil/content/v_100598.htm
Downloader-YD -- http://vil.nai.com/vil/content/v_132763.htm

Exploitation References:

Flaw in Microsoft VM Could Enable System Compromise (816093)
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx

Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code
Execution (891711)
http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx

Note: The file loadadv400.exe was submitted to *all* AV companies and
signatures are being
created.

So far since I posted the JPEG...

eTrust-Iris -- Win32/SillyDL.iftraff!Trojan
Kaspersky -- Trojan-Downloader.Win32.Small.bfy
McAfee -- Generic Downloader.u
Trend Micro -- TROJ_DLOADER.APZ

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Posted by par7133 on November 11, 2005, 7:17 pm

If you were Registered and logged in, you could reply and use other advanced thread options

You have surely made more research than me :-)

Talking about
http://www.postcards@iframetraff.biz/dl/adv669.php

I can add to yours that in Windows 98 his behaviour to start
is exactly how is explained in ms04-013, email in url (outlook express)
and finally exploit by a chm that opened. Now, the doc is *on*
probably it was updated while I saw *off* me too.

With reference to the following and l o v e l y exploitation step,
http://www.iframetraff.biz/dl/adv669.php probably your add gives the
rest of
the analisys

Daniele

Posted by par7133 on November 11, 2005, 8:29 pm

If you were Registered and logged in, you could reply and use other advanced thread options

How they distribute the trojan?
But first, how do they manage all the icq accounts?
Is it possible that icq team is not involved in that?

Here:

ICQ Number : 261-095-788
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 277-555-893
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 236-646-406
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 279-528-916
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 278-428-314
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 280-836-169
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 281-712-101
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 279-724-876
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 279-936-207
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 258-105-640
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 258-101-802
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 327-820-377
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 257-613-106
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 283-341-613
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 280-896-214
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 259-288-083
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number : 257-880-033
Name: Postcards Postcards
NickName: Postcards
Address: USA

ICQ Number :