Re: [Full-Disclosure] Virus on web site
From: Peter B. Harvey (Information Security) (peterharvey_at_emergency.qld.gov.au)
Date: Wed, 3 Aug 2005 11:19:59 +1000 To: <email@example.com>
-----BEGIN PGP SIGNED MESSAGE-----
An update the Virus is a HAXDOOR variant which is a backdoor.
Symantec and Trend also now detect it.
The virus is spread by an iframe or link in an email asking to go to
a compromised website. The latest site seen is:
This opens up a two frame page with A hotmail look alike login screen
which appears to be used to steal passport credentials to anyone
foolish enough to enter them.
The other frame is only a couple of pizels high at the top. This
opens an IFRAME to
This page looks like an advert for a samsung phone but contains two
http://crbmarketing.com/images/msits.exe - The Backdoor
http://crbmarketing.com/images/strsp2.js - The Trojan downloader
These emails will get past most content scanners as they are just an
HTML email. SPAM engines might catch them.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
-----END PGP SIGNATURE-----
This correspondence is for the named persons only.
It may contain confidential or privileged information or both.
No confidentiality or privilege is waived or lost by any mis transmission.
If you receive this correspondence in error please delete it from your system immediately and notify the sender.
You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient.
Any opinions expressed in this message are those of the individual sender except where the sender expressly,
and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/