[Dshield] Iran uranium spam

Josh Ballard bal at ksu.edu
Tue Aug 9 18:59:16 GMT 2005

Did some analysis on the one I received.  The website uses an IE
vulnerability to open a .hta file that then puts a whole bunch of things
on your computer, including some code that connects the host to a
botnet.  It looks up several addresses to try and connect to the botnet
from.  I'm still doing more research on this, but that's what I've got
so far.  It's very definitely malicious though.
Josh Ballard
Network Security Specialist
Kansas State University
bal at ksu.edu

More information about the list mailing list