210.51.184.247 (was: [Dshield] Another New Yahoo Attempt)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Tue Jan 20 15:06:34 GMT 2004


Hi tech-group at china-netcom.com, Mrcorp, list,

WARNING: do not click on URL's below when using MS Windows(TM)

To tech-group at china-netcom.com: 210.51.184.247 is hacked or the owner
is malicious. Please take offline ASAP to prevent any more victims.

Analisys, three steps:
---------------------------------------------------------
At 20040120 13:06:30 +0000

Fetching http://etsjoy.com/special2/ ...
[snip]
<META HTTP-EQUIV=Refresh CONTENT="1; URL=http://210.51.184.247/special2/">
---------------------------------------------------------
At 20040120 13:06:43 +0000

Fetching http://210.51.184.247/special2/ ...
[snip]
<META HTTP-EQUIV=Refresh CONTENT="1; URL=http://210.51.184.247/cgi-bin/page.cgi">
---------------------------------------------------------
At 20040120 13:06:55 +0000

Fetching http://210.51.184.247/cgi-bin/page.cgi ...
[snip]
HTTP/1.1 200 OK
Date: Sun, 13 Jan 2002 03:55:36 GMT
Server: Apache/2.0.40 (Red Hat Linux)
Content-Disposition: inline; filename=page.hta
Connection: close
Transfer-Encoding: chunked
Content-Type: application/hta

1000
<html>

<script language="VBScript">
[snip]
---------------------------------------------------------

Ran: wget http://210.51.184.247/cgi-bin/page.cgi

Copied page.cgi to page.vbs

Slightly modified page.vbs: removed html codes, changed such that it
unpacks "usb_d2.exe" in the current directory and does not start it.

Ran: cscript page.vbs  (creates and writes usb_d2.exe)

Ran: md5sum -b usb_d2.exe
2ba6cad9fa77ec8aa3819d2f5cd5e1f4 *usb_d2.exe

This is identical to the md5sums from the ones I downloaded last Sunday.
See: http://www.dshield.org/pipermail/list/2004-January/013999.php

Symantec NAV CE defs 1/18/04 rev. 19:
- page.cgi = trojan.dropper
- page.vbs = no alarm
- usb_d2.exe = Backdoor.Trojan

McAfee commandline scanner, defs 4316 (1/18/04), engine 4.2.60
- page.cgi = VBS/Inor trojan
- page.vbs = VBS/Inor trojan
- usb_d2.exe = no alarm

Disclaimer: these virusscanners have been used just because I have
access to them. I'm not saying you should, or should not, use them.
The output is intended as an example.

Regards,
Erik van Straten

On Tue, 20 Jan 2004 04:19:23 -0800 (PST) Mrcorp <mrcorp at yahoo.com> wrote:
> Another Yahoo goofy email.  Seems I am a target these days....  Anyone who thinks for a second
> knows that Yahoo is not their ISP, but details below... I got a copy of the install program, I
> will disect later and post results.  Doesnt look like anything new technically, just a new
> delivery.
[snip]
> Which is duj0u5zb26r00zaj0d.etsjoy.com/special2/
[snip]




More information about the list mailing list