June 30, 2008

Hi there,

Another “new” attempt of fraud from alinarbar56 (@)

Good day to you.

I hope this letter meets you well, I am sorry if I
have intruded on your privacy or barged in on you
without your permission.I have a very rewarding
project which I think will be beneficial to both of us
putting trust,confidentialty and most of all the fear
of God into focus. If after going through this email
you do not find it interesting please disregard it and
send me a formal response.I was a member of the Abuja
National stadium building and organizing committee of
the just concluded “ALL AFRICAN GAMES” which was
organized and hosted by Nigeria but before now I have
been a director of sports in the Federal Ministry of
Sports and Youth Development.We were appointed over 5
years ago to supervise the building of the ultra
modern Abuja National stadium, putting in place all
equipments needed for the completion of the stadium
which is acclaimed to be one of the best in the world
today and also involved in the planning and hosting of
the games.This project
cost the government of Nigeria millions of dollars.

The stadium project has been completed,all equipments
put in place and commissioned and used for the All
African Games tagged “ABUJA 2003“.The accounts have
been rendered to the government satisfactorily and we
have received commendations for a job well done.During
the construction, planning and execution of this
project,as the chairman of contract award committee I
was able to make some money for myself through
contract that was awarded to Dewolfgang Gmbh which I
over-invoiced to the tune of USD18.5M with the help of
Dewolfgang contractor.All I want you to do is to
assist me in clearing this amount while standing in as
the owner and director of Vacknol Nigeria
International Limited in whose name I made as the
beneficiary of the funds.Vacknol Nigeria International
Limited is an international company and could have a
company anywhere in the world the mostimportant thing
been that it is registered here in Nigeria as a
limited liability company in line with the company and
allied matters decree of Nigeria which I have since
done, I have also in my possession some contract
document which will act as proof that Vacknol Nigeria
International Limited executed the contract as a sub
contractor under the Dewolfgang Gmbh who is the major
contractor that executed the contract that was over

On the payment of this money to you as the supplier in
the name of Vacknol Nigeria International Limited
because I will apply for the transfer in this name,and
you as the director of the company. I will come to
meet with you so that we can both sit down and discuss
further,what kind of business we will enter into or if
need be expand your already existing business, but
actually I hope to establish a five star hotel and go
into real estate development as these are life time
businesses that I know are of high yeild interest any
where in the world.I know you will be entitled to some
percentage of this money as compensation for your
efforts, Please feel free to indicate what you will
take from this amount,as this is very important to me
before we commence proceedings.I will tell you more
about this when I hear from you.

Best Regards.



Have a nice Day,

Evilcry šŸ™‚

Kernel Pool Overflows

June 22, 2008


Device Drivers Security is not a really spreaded and known, not many researchers are involved into this field, one of my scope, in this blog is to summarize all material related to Windows Kernel Mode Security..

Here two intersing new papers about Kernel Pool Overflows and Driver Impersonation Attack:

See you to the next post.. šŸ™‚

CartellaUnicaTasse Trojan

June 20, 2008


Today my Girl kindly signaled me an e-mail that she has received some time ago. This mail have as subject Cartella esattoriale nĀ° 003 210400360968173 and contains an Executable in attachement called CartellaUnicaTasse.exe

This executable is packed with a layer of UPX so it can be easly unpacked, is also coded in VB6, this malware is actually detected as Trojan-Downloader.Win32.VB.fcd by many AVs but is still working in all its functionalities.

From a fast analysis we can carve two URLs from which are downloaded two virusses:



Download1.exe -> Trojan-Clicker.Win32.Agent.aqk

Download2.exe -> Trojan.Win32.Small.atd

Download3.exe -> Trojan.Win32.Dialer.qi

loader_mef.exe -> Trojan-Downloader.Win32.VB.fcd

mef.exe -> Trojan-Clicker.Win32.Agent.aqk

I’ll analyze both Download1 and Download3 and I’ll post soon how these craps works šŸ˜‰

All these Malwares are written by an Italian, the downloader contains the path c:\Programmi\ and the Dialer contains also italian terms.

See you to the next post.. šŸ™‚