(was: [Dshield] Another New Yahoo Attempt)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Tue Jan 20 15:06:34 GMT 2004

Hi tech-group at china-netcom.com, Mrcorp, list,

WARNING: do not click on URL's below when using MS Windows(TM)

To tech-group at china-netcom.com: is hacked or the owner
is malicious. Please take offline ASAP to prevent any more victims.

Analisys, three steps:
At 20040120 13:06:30 +0000

Fetching http://etsjoy.com/special2/ ...
At 20040120 13:06:43 +0000

Fetching ...
At 20040120 13:06:55 +0000

Fetching ...
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2002 03:55:36 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Content-Disposition: inline; filename=page.hta
Connection: close
Transfer-Encoding: chunked
Content-Type: application/hta


<script language="VBScript">

Ran: wget

Copied page.cgi to page.vbs

Slightly modified page.vbs: removed html codes, changed such that it
unpacks "usb_d2.exe" in the current directory and does not start it.

Ran: cscript page.vbs  (creates and writes usb_d2.exe)

Ran: md5sum -b usb_d2.exe
2ba6cad9fa77ec8aa3819d2f5cd5e1f4 *usb_d2.exe

This is identical to the md5sums from the ones I downloaded last Sunday.
See: http://www.dshield.org/pipermail/list/2004-January/013999.php

Symantec NAV CE defs 1/18/04 rev. 19:
- page.cgi = trojan.dropper
- page.vbs = no alarm
- usb_d2.exe = Backdoor.Trojan

McAfee commandline scanner, defs 4316 (1/18/04), engine 4.2.60
- page.cgi = VBS/Inor trojan
- page.vbs = VBS/Inor trojan
- usb_d2.exe = no alarm

Disclaimer: these virusscanners have been used just because I have
access to them. I'm not saying you should, or should not, use them.
The output is intended as an example.

Erik van Straten

On Tue, 20 Jan 2004 04:19:23 -0800 (PST) Mrcorp <mrcorp at yahoo.com> wrote:
> Another Yahoo goofy email.  Seems I am a target these days....  Anyone who thinks for a second
> knows that Yahoo is not their ISP, but details below... I got a copy of the install program, I
> will disect later and post results.  Doesnt look like anything new technically, just a new
> delivery.
> Which is duj0u5zb26r00zaj0d.etsjoy.com/special2/

More information about the list mailing list