compromised (was: [Dshield] Fake Yahoo e-mail)

Mike mjcarter at ihug.co.nz
Sat Jan 17 22:45:58 GMT 2004

WARNING: MSIE users do not click on this link!

It's on the move IP is now URL

inetnum: -
netname:      CNCNET
descr:        China Netcom Corp.
descr:        New Telecommunication Carrier Based on IP Backbone
country:      CN
admin-c:      JM284-AP
tech-c:       JM284-AP
mnt-by:       APNIC-HM
mnt-lower:    MAINT-CN-ZM28
changed:      hostmaster at apnic.net 20001011
changed:      hm-changed at apnic.net 20020703
changed:      hm-changed at apnic.net 20030212
source:       APNIC


-----Original Message-----
From: Erik van Straten [mailto:emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl]
Sent: Sunday, January 18, 2004 6:14 AM
To: list at dshield.org; abuse at ev1.net
Cc: Mike
Subject: compromised (was: [Dshield] Fake Yahoo e-mail)

Hi EV1 Abuse, Mike, list,

WARNING: using MSIE that is not fully patched may compromise your PC
if you click any link in this email!

Host is probably compromised. The webpage Mike mentions
eventually redirects to:

which downloads, unpacks and runs a .HTA trojan on not fully patched
Windows, or may trick people in accepting and running this even if
their PC is fully patched.

Abuse at ev1: please disable ASAP to prevent any more

Details, three steps, using SamSpade:
Fetching http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ ...
Fetching ...
At 20040117 16:49:30 +0000:

Fetching ...
Date: Sat, 17 Jan 2004 16:45:45 GMT
Server: Apache/2.0.46 (Red Hat)
Content-Disposition: inline; filename=page.hta
Connection: close
Transfer-Encoding: chunked
Content-Type: application/hta


<script language="VBScript">

szBinary = "4D5A90000300000004000000FFFF0000B [snip]

Erik van Straten

On Sun, 18 Jan 2004 01:07:49 +1300 Mike wrote:
> Hi All,
> Posted in the SANS diary by Johannes Ullrich:
> A user submitted a fake e-mail, which is using the %01 MSIE bug to trick
> user into downloading a Trojan.
> This appears to be bigger than Yahoo being faked. Ive just received the
> below email from my ISP:
> Virus Alert
> To:mjcarter
> From: ihug.co.nz's Internet Virus Department
> We have detected a possible computer virus on your computer, You must open
> the details of the report within 24 hours our we will be forced to shut
> your internet service.
> Please Click Below Then Press "open" To View The Report If you do not open
> this report in 24 hours we will suspend your internet service If nothing
> apears on your virus report please dis-regard this message
> Click Here Now
> <http://ihug.co.nz%01@dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/>
> Clicking on the "button" does take me to
> http://dzmj6u1ziuzb4r3tzaj0zafl.euphoriaja.com/special2/ and attempts to
> download page.hta which McAfee detects as VBS/Inor.
> I've contacted my ISP and forwarded to them, I  wonder how many other ISPs
> are about to be flooded with calls.
> Regards
> Mike

More information about the list mailing list