[Dshield] Fake Yahoo e-mail

Johannes B. Ullrich jullrich at sans.org
Sat Jan 17 15:21:42 GMT 2004


very interesting. it also does browser sniffing each
time and you only get the virus if you run MSIE...



On Sat, 2004-01-17 at 20:07, Mike wrote:
> Hi All,
> Posted in the SANS diary by Johannes Ullrich:
> A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
> user into downloading a Trojan.
> 
> This appears to be bigger than Yahoo being faked. Ive just received the
> below email from my ISP:
> Virus Alert
> To:mjcarter
> From: ihug.co.nz's Internet Virus Department
> 
> We have detected a possible computer virus on your computer, You must open
> the details of the report within 24 hours our we will be forced to shut down
> your internet service.
> 
> Please Click Below Then Press "open" To View The Report If you do not open
> this report in 24 hours we will suspend your internet service If nothing
> apears on your virus report please dis-regard this message
> Click Here Now
> <http://ihug.co.nz%01@dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/>
> 
> Clicking on the "button" does take me to
> http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ and attempts to
> download page.hta which McAfee detects as VBS/Inor.
> I've contacted my ISP and forwarded to them, I  wonder how many other ISPs
> are about to be flooded with calls.
> 
> Regards
> Mike
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040117/240e250c/attachment.bin


More information about the list mailing list