Re: [Full-disclosure] A new phishing fraud
From: Shawn Austin (austinsr_at_uindy.edu)
Date: 05/19/05
- Previous message: Enune: "[Full-disclosure] Security contact for Commonwealth bank"
- In reply to: m0fo: "[Full-disclosure] A new phishing fraud"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 18 May 2005 20:39:50 -0500 To: full-disclosure@lists.grok.org.uk
Mcafee catches VBS/Soraci when the page is loading.
Writeup of virus from http://vil.nai.com/vil/content/v_101049.htm
*Virus Characteristics:
<javascript:legendwindow('/vil/legend.htm#Charactieristics');>*
This is a file infecting VBScript virus that infects files with
extension HTT, HTM, and HTML. When run, the virus will create or modify
the following registry keys to change the Internet Explorer start page:
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Local Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Start Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
The virus creates the following files:
* %SysDir%\icarOs.dll (2,824 bytes)
* %SysDir%\icarOs2.dll (3,748 bytes)
* %SysDir%\scanregw.vbe (3,718 bytes)
/(Where %SysDir% is the Windows System directory on the system, for
example c:\WINDOWS\SYSTEM.) /
A registry entry is also created to run the virus on Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe
This virus has a malicious payload to restart Windows continuously if
the date is September 26.
m0fo wrote:
> probably, there is a new phishing fraud.
>
> I received a mail saying:
>
> "Please note that this is a system generated email. Please do not
> reply to this email. If you have questions, please click the following
> link or paste it in your browser.
> http://pages.ebay.com/help/basics/select-support.html
>
> eBay Confirmation Center
>
>
> Dear customer,
> During our regular update and verification of the accounts
> we couldn't verify your current information. Either your information
> has changed or it is incomplete. If the account information is not
> updated to current information within 5 days then, your access to bid
> or buy on eBay will be suspended.
> To Update Account, please click the link below
>
>
> click here
>
>
>
> Copyright 1995-2005 eBay Inc. All Rights Reserved.
>
> Designated trademarks and brands are the property of their respective
> owners.
>
> eBay and the eBay logo are trademarks of eBay Inc."
>
>
>
> while im clicking its taking me to
> http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav
> <http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav>=
>
> there its asking for user and pass.
>
>
> Take Care,
>
> Ido.
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Enune: "[Full-disclosure] Security contact for Commonwealth bank"
- In reply to: m0fo: "[Full-disclosure] A new phishing fraud"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
