66.98.208.24 compromised (was: [Dshield] Fake Yahoo e-mail)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Sat Jan 17 17:13:49 GMT 2004


Hi EV1 Abuse, Mike, list,

WARNING: using MSIE that is not fully patched may compromise your PC
if you click any link in this email!

Host 66.98.208.24 is probably compromised. The webpage Mike mentions
eventually redirects to:

http://66.98.208.24/cgi-bin/page.cgi

which downloads, unpacks and runs a .HTA trojan on not fully patched
Windows, or may trick people in accepting and running this even if
their PC is fully patched.

Abuse at ev1: please disable 66.98.208.24 ASAP to prevent any more
victims.

Details, three steps, using SamSpade:
----------------------------------------
Fetching http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ ...
[snip]
<META HTTP-EQUIV=Refresh CONTENT="1; URL=http://66.98.208.24/special2/">
[snip]
----------------------------------------
Fetching http://66.98.208.24/special2/ ...
[snip]
<META HTTP-EQUIV=Refresh CONTENT="1; URL=http://66.98.208.24/cgi-bin/page.cgi">
[snip]
----------------------------------------
At 20040117 16:49:30 +0000:

Fetching http://66.98.208.24/cgi-bin/page.cgi ...
[snip]
Date: Sat, 17 Jan 2004 16:45:45 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Disposition: inline; filename=page.hta
Connection: close
Transfer-Encoding: chunked
Content-Type: application/hta

f000
<html>

<script language="VBScript">

szBinary = "4D5A90000300000004000000FFFF0000B [snip]
----------------------------------------

Regards,
Erik van Straten

On Sun, 18 Jan 2004 01:07:49 +1300 Mike wrote:
> Hi All,
> Posted in the SANS diary by Johannes Ullrich:
> A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
> user into downloading a Trojan.
> 
> This appears to be bigger than Yahoo being faked. Ive just received the
> below email from my ISP:
> Virus Alert
> To:mjcarter
> From: ihug.co.nz's Internet Virus Department
> 
> We have detected a possible computer virus on your computer, You must open
> the details of the report within 24 hours our we will be forced to shut down
> your internet service.
> 
> Please Click Below Then Press "open" To View The Report If you do not open
> this report in 24 hours we will suspend your internet service If nothing
> apears on your virus report please dis-regard this message
> Click Here Now
> <http://ihug.co.nz%01@dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/>
> 
> Clicking on the "button" does take me to
> http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ and attempts to
> download page.hta which McAfee detects as VBS/Inor.
> I've contacted my ISP and forwarded to them, I  wonder how many other ISPs
> are about to be flooded with calls.
> 
> Regards
> Mike




More information about the list mailing list