Re: [Full-Disclosure] Virus on web site

From: Peter B. Harvey (Information Security) (peterharvey_at_emergency.qld.gov.au)
Date: 08/03/05

  • Next message: Ron DuFresne: "Re: [Full-disclosure] Cisco IOS Shellcode Presentation"
    Date: Wed, 3 Aug 2005 11:19:59 +1000
    To: <full-disclosure@lists.grok.org.uk>
    
    


    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi all

    An update the Virus is a HAXDOOR variant which is a backdoor.
    Symantec and Trend also now detect it.

    The virus is spread by an iframe or link in an email asking to go to
    a compromised website. The latest site seen is:
    http://crbmarketing.com/images/select.html

    This opens up a two frame page with A hotmail look alike login screen
    which appears to be used to steal passport credentials to anyone
    foolish enough to enter them.

    The other frame is only a couple of pizels high at the top. This
    opens an IFRAME to
    http://crbmarketing.com/images/newex.html

    This page looks like an advert for a samsung phone but contains two
    objects
    http://crbmarketing.com/images/msits.exe - The Backdoor

    http://crbmarketing.com/images/strsp2.js - The Trojan downloader
    JS_PSYME.AT

    These emails will get past most content scanners as they are just an
    HTML email. SPAM engines might catch them.

    A new variant just came in and it appears to be just using the
    javascript component
    http://mistysunshine.com/register/reg.html
    IFRAME at the top points to
    http://besttraff.us/top/index.html

    Again have Javascript turned off before looking at the sites

    Peter

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQvAbv/2VmmbibZoUEQLYZQCfTi7QdZC2Uka8xNv/WWxf3yoUUcYAn2zi
    1iGaOpzMdxX7oHxthDBpe+7B
    =Goti
    -----END PGP SIGNATURE-----

    This correspondence is for the named persons only.
    It may contain confidential or privileged information or both.
    No confidentiality or privilege is waived or lost by any mis transmission.
    If you receive this correspondence in error please delete it from your system immediately and notify the sender.
    You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient.
    Any opinions expressed in this message are those of the individual sender except where the sender expressly,
    and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Ron DuFresne: "Re: [Full-disclosure] Cisco IOS Shellcode Presentation"

    Relevant Pages

    • [Full-Disclosure] raq 550 compromised
      ... This is a virus which combines file infection with enhanced backdoor ... The files infected by the virus have their file size increased by 8759 ... The virus infects all the files in the current directory, but avoids infecting ... will fork an execution thread so it can stay 'resident'. ...
      (Full-Disclosure)
    • RST.b
      ... Recently, lockdown mailed me with an analysis he had done of a Linux virus, ... backdoor but after talking to silvio I found out it was a virus. ... infect the files there as well. ... Continuing on it makes a call to socket with the protocol set to ...
      (Incidents)
    • Re: [Full-Disclosure] Apparently the practice was prevalent
      ... hggdh wrote: ... >and, also expected, MS would have to provide a backdoor. ... windows needs to be shipped with services turned off, ... completely - a virus could turn these services on, ...
      (Full-Disclosure)
    • Trojan Attack
      ... 'Am trying to remove what I understand to be a "Backdoor ... Trojan" virus from my system. ... Thx. ...
      (microsoft.public.win2000.security)