compromised (was: [Dshield] Fake Yahoo e-mail)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Sat Jan 17 17:13:49 GMT 2004

Hi EV1 Abuse, Mike, list,

WARNING: using MSIE that is not fully patched may compromise your PC
if you click any link in this email!

Host is probably compromised. The webpage Mike mentions
eventually redirects to:

which downloads, unpacks and runs a .HTA trojan on not fully patched
Windows, or may trick people in accepting and running this even if
their PC is fully patched.

Abuse at ev1: please disable ASAP to prevent any more

Details, three steps, using SamSpade:
Fetching http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ ...
Fetching ...
At 20040117 16:49:30 +0000:

Fetching ...
Date: Sat, 17 Jan 2004 16:45:45 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Disposition: inline; filename=page.hta
Connection: close
Transfer-Encoding: chunked
Content-Type: application/hta


<script language="VBScript">

szBinary = "4D5A90000300000004000000FFFF0000B [snip]

Erik van Straten

On Sun, 18 Jan 2004 01:07:49 +1300 Mike wrote:
> Hi All,
> Posted in the SANS diary by Johannes Ullrich:
> A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
> user into downloading a Trojan.
> This appears to be bigger than Yahoo being faked. Ive just received the
> below email from my ISP:
> Virus Alert
> To:mjcarter
> From: ihug.co.nz's Internet Virus Department
> We have detected a possible computer virus on your computer, You must open
> the details of the report within 24 hours our we will be forced to shut down
> your internet service.
> Please Click Below Then Press "open" To View The Report If you do not open
> this report in 24 hours we will suspend your internet service If nothing
> apears on your virus report please dis-regard this message
> Click Here Now
> <http://ihug.co.nz%01@dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/>
> Clicking on the "button" does take me to
> http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ and attempts to
> download page.hta which McAfee detects as VBS/Inor.
> I've contacted my ISP and forwarded to them, I  wonder how many other ISPs
> are about to be flooded with calls.
> Regards
> Mike

More information about the list mailing list