Bugtraq mailing list archives

worm "postcard" e-mail issue

From: "M. Perri" <icc-mysql () icorp net>
Date: Thu, 19 May 2005 12:38:21 -0500

Be advised there is a new worm spreading. It says you have received apostcard with a link to click to see the postcard, however, the URL firstgoes to some dsl customer in canada who has been comprised and some sort ofjavascript is run on the local machine... nut sure what it does....


Can anyone confirm what systems may be vulnerable to this attack?

Initial suspicious code which performs a redirect:

#telnet 68.146.201.132 8180

Trying 68.146.201.132...
Connected to S010600c09f51432d.cg.shawcable.net.
Escape character is '^]'.
GET /090/

HTTP/1.0 200

<-------html><head><s----cript language="javascript">

var k,r,c,n,u=9 ;var h=document.links;function L(x){if(h[x].text)returnh[x].text;var z,s=h[x].hash;if(s && s!="#"){if(s.substring(0,1)=="#")returns.substring(1,200);returns;}s=h[x].href;if(s){if(location.href.indexOf(s)==0)return"../";if(!x)return "../";z=s.lastIndexOf("#");if(z>=0)returns.substring(z+1,200);z=s.lastIndexOf("/");if(z>=0){if(z>=(s.length-1))z=s.lastIndexOf("/",z-1);if(z>=0)returns.substring(z+1,200);}return s;}return h[x].pathname;}function M(a,b){varx,y;x=L(a*3+k+6);y=L(b*3+k+6);if(k==1 || k==4){x*=2;y*=2;}if(x>y)returnr;if(x<y)return -r;return 0;};function A(x,y){var z=x+3;return "<b><ahref='javascript:O("+x+");'>"+y+" /\ </a> - <ahref='javascript:O("+z+");'>\/</a></b></td>";};function S(){return"cript>";}function F(x,y){return "<td><a href='" + L(y) + ((y==x)?"":"#" +L(x)) + "'>" + L(x) + "</a></td>";};function O(z){vari,j,w,o;r=1;k=z;if(k>=3){r=-1;k-=3;}c=(document.links.length-u)/3;u=6;n=new Array(c);for(i=0;i<c;++i)n[i]=i;n.sort(M);o="<scr"+"iptlanguage=javascript>var k,r,c,n,u=6; varh=document.links;"+L.toString()+M.toString()+A.toString()+F.toString()+O.toString()+S.toString()+"\n</s";o+=S()+ "<table border=0 width=100% bgcolor=#f0f0ff><tr bgcolor=#aaaaff><tdwidth=50%>"+A(0,"Name")+"<tdwidth=15%>"+A(1,"Size")+"<td>"+A(2,"Date")+"</tr>";for(i=0;i<c;++i){j=n[i]*3+6;o+="<tr>"+ F(j,j) + F(j+1,j) + F(j+2,j) +"</tr>";};w=document;o+="</table><hr>";w.open();w.write(o);w.close();o="";deleten;}</script></head><body><table border=0 width=100% bgcolor=#f0f0ff><trbgcolor=#aaaaff><td width=50%><b><a href="javascript:O(0);">Name /\</a> -<a href="javascript:O(3);">\/</a></b></td><td><b><ahref="javascript:O(1);">Size /\</a> - <ahref="javascript:O(4);">\/</a></b></td><td><b><ahref="javascript:O(2);">Date /\</a> - <ahref="javascript:O(5);">\/</a></b></td></tr></table><hr><br><center><tablewidth=500 height=60 border=1 cellspacing=0 cellpadding=1><tr vallign=topcellpadding=0 cellspacing=0><td height=4 bgcolor=#8030e0> <table width=494height=8 border=0 cellspacing=0 cellpadding=1><tr cellpadding=1cellspacing=0><td bgcolor=#5030a0 width=60 height=4><font size=0color=#ffffff class=f3>Unregistred</font></td><td bgcolor=#6030b0 width=60height=4><font size=0 color=#ffffff class=f3>copy</font></td><tdbgcolor=#7030c0 width=60 height=4 align=right><font size=0 color=#ffffffclass=f3>of <b>Small</b></font></td><td bgcolor=#8030d0 height=4><fontsize=0 color=#ffffff class=f3><b>HTTP server</b></font></td><tdbgcolor=#9030e0 width=60 height=4><font size=0class=f3> </font></td><td bgcolor=#a030f0 width=60 height=4><fontsize=0 class=f3> </font></td><td bgcolor=#b030ff width=60height=4><font size=0 class=f3> </font></td><td bgcolor=#c0c0c0width=12 height=4><a href=http://srv.mf.inc.ru/news.htm><font size=0color=#00c0f0 class=f3><b>/\\</b></font></a></td>àòüðåêëàìó</font></b></a></td></tr></table></center><br>Connection closed byforeign host.

Current thread:

worm "postcard" e-mail issue M. Perri (May 20)