[Full-Disclosure] Fake Virus Warnings From ISPs
From: Mike (mjcarter_at_ihug.co.nz)
Date: 01/18/04
- Previous message: KF: "[Full-Disclosure] Happy belated Personal Firewall day - SRT2004-01-17-0628 - Agnitum Optpost firewall allows Local SYSTEM access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <full-disclosure@lists.netsys.com> Date: Sun, 18 Jan 2004 13:28:19 +1300
Hi All,
Warning be careful with the links in this email.
Posted in the SANS diary by Johannes Ullrich:
A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.
[snip]
This appears to be bigger than Yahoo being faked. I recently received this
faked email:
Virus Alert
To:mjcarter
From: ihug.co.nz's Internet Virus Department
We have detected a possible computer virus on your computer, You must open
the details of the report within 24 hours our we will be forced to shut down
your internet service.
Please Click Below Then Press "open" To View The Report If you do not open
this report in 24 hours we will suspend your internet service If nothing
apears on your virus report please dis-regard this message
Click Here Now
<http://ihug.co.nz%01@dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/>
Clicking on the link takes me to
http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ which redirects to
http://66.98.208.24/cgi-bin/page.cgi and attempts to download page.hta which
McAfee detects as VBS/Inor.
I've contacted my ISP and forwarded to them, I wonder how many other ISPs
are about to be flooded with calls.
Note the URL is changing, it was originally
http://66.98.208.24/cgi-bin/page.cgi which was shut down.
But is now residing at http://210.51.184.247/cgi-bin/page.cgi
inetnum: 210.51.0.0 - 210.51.255.255
netname: CNCNET
descr: China Netcom Corp.
descr: New Telecommunication Carrier Based on IP Backbone
country: CN
admin-c: JM284-AP
tech-c: JM284-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CN-ZM28
changed: hostmaster@apnic.net 20001011
changed: hm-changed@apnic.net 20020703
changed: hm-changed@apnic.net 20030212
status: ALLOCATED PORTABLE
source: APNIC
Regards
Mike
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: KF: "[Full-Disclosure] Happy belated Personal Firewall day - SRT2004-01-17-0628 - Agnitum Optpost firewall allows Local SYSTEM access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
