RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe
From: Dowling, Gabrielle (dowlingg_at_sullcrom.com)
Date: 07/28/03
- Previous message: Gerrit Hannaert: "New or old PHP worm?"
- Maybe in reply to: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Next in thread: James C. Slora, Jr.: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jul 2003 00:27:58 -0400 To: "Michael J. Pomraning" <mjp@securepipe.com>, <incidents@securityfocus.com>
Yes, MessageLabs reported on this on Friday, it appears to be the
reverse proxy trojan that Symantec describes as Migmaf, other vendors
describe it differently.
Gaby
-----Original Message-----
From: Michael J. Pomraning [mailto:mjp@securepipe.com]
Sent: Saturday, July 26, 2003 9:37 AM
To: incidents@securityfocus.com
Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe
Hello,
I last night got a spoofed email inviting me to open its .zip
attachment, a .htm containing a base64-encoded file aaa.exe followed by
an "Exploit-Codebase" (NAI's classification) javascript springload:
sender: admin@security.org
subject: Newsletter
attachment: readme.zip
|
+--> readme.htm --> { aaa.exe (MIME/b64) +
"Exploit-CodeBase" }
Strings from aaa.exe suggest that it wants to fetch a fixed URL --
http://64.246.56.74/~caraoke/ksp.exe. This one, in turn, has Windows
socket strings. I've not run either, and neither exe was identified by
an up-to-date Sophos scanner.
Is this a known backdoor, pr0n agent, or similar? I don't have a
windows MUA to test with, but I'm assuming it requires manual
intervention (unzip the .zip, view the .htm) to trigger, so its spread
may be limited.
Google didn't turn up much, and Google Groups (searching for the sender)
puts this mail in it.news.net-abuse and perl.modules since yesterday.
Looks like this one doesn't vary sender/subject/etc. The complete mail
is available at
http://groups.google.com/groups?selm=B5K823L43FF13H63%40security.org&oe=
csn_369103&output=gplain
Regards,
Mike
-- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Internet Security ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Gerrit Hannaert: "New or old PHP worm?"
- Maybe in reply to: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Next in thread: James C. Slora, Jr.: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
