RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe
From: James C. Slora, Jr. (Jim.Slora_at_phra.com)
Date: 07/28/03
- Previous message: Russell Harding: "Re: www.google.com reference in directory-traversal attack"
- Maybe in reply to: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Jul 2003 13:37:21 -0400 To: "Dowling, Gabrielle" <dowlingg@sullcrom.com>, "Michael J. Pomraning" <mjp@securepipe.com>, <incidents@securityfocus.com>
I do believe it is not Migmaf, but Download.Trojan.PSK, which downloads
an IRC bot. Symantec's description is too skimpy - I guess they kept it
generic in case the same trojan code is distributed using a different
message or method.
http://www.sarc.com/avcenter/venc/data/download.trojan.psk.html
McAfee has the most complete posted description I've seen so far. They
call it Downloader-DK.
http://vil.mcafee.com/dispVirus.asp?virus_k=100512
> -----Original Message-----
> From: Dowling, Gabrielle [mailto:dowlingg@sullcrom.com]
> Sent: Monday, July 28, 2003 12:28 AM
> To: Michael J. Pomraning; incidents@securityfocus.com
> Subject: RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe
>
>
> Yes, MessageLabs reported on this on Friday, it appears to be the
> reverse proxy trojan that Symantec describes as Migmaf, other vendors
> describe it differently.
>
> Gaby
>
> -----Original Message-----
> From: Michael J. Pomraning [mailto:mjp@securepipe.com]
> Sent: Saturday, July 26, 2003 9:37 AM
> To: incidents@securityfocus.com
> Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe
>
>
> Hello,
>
> I last night got a spoofed email inviting me to open its .zip
> attachment, a .htm containing a base64-encoded file aaa.exe
> followed by
> an "Exploit-Codebase" (NAI's classification) javascript springload:
>
> sender: admin@security.org
> subject: Newsletter
> attachment: readme.zip
> |
> +--> readme.htm --> { aaa.exe (MIME/b64) +
> "Exploit-CodeBase" }
>
> Strings from aaa.exe suggest that it wants to fetch a fixed URL --
> http://64.246.56.74/~caraoke/ksp.exe. This one, in turn, has Windows
> socket strings. I've not run either, and neither exe was
> identified by
> an up-to-date Sophos scanner.
>
> Is this a known backdoor, pr0n agent, or similar? I don't have a
> windows MUA to test with, but I'm assuming it requires manual
> intervention (unzip the .zip, view the .htm) to trigger, so its spread
> may be limited.
>
> Google didn't turn up much, and Google Groups (searching for
> the sender)
> puts this mail in it.news.net-abuse and perl.modules since yesterday.
> Looks like this one doesn't vary sender/subject/etc. The
> complete mail
> is available at
>
>
> http://groups.google.com/groups?selm=B5K823L43FF13H63%40securi
ty.org&oe=
csn_369103&output=gplain
Regards,
Mike
-- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Internet Security ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- application/ms-tnef attachment: winmail.dat
- Previous message: Russell Harding: "Re: www.google.com reference in directory-traversal attack"
- Maybe in reply to: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
