Security Incidents mailing list archives
RE: E-Card Remote Code Execution Scam
From: "Jason Robertson" <jason () ifuture com>
Date: Sat, 28 Sep 2002 21:12:00 -0400
Here is what I have found http://and.doxdesk.com/parasite/Cytron.html and the file inside is potd.dll It downloads the file trop.xml, from one of two sites, with the following in the body, typical adware <?xml version="1.0"?> <trop> <operating-parameters> <repository>http://66.230.217.196/cybersex/trop.xml</repository> <repository>http://216.187.109.101/cybersex/trop.xml</repository> </operating-parameters> <targeting-rule hit-count="5" interleave-factor="8" url="http://66.230.217.196/cybersex/mn/mensnetwork.html";> <disabled-by cookie="MN" value="MN" url="http://www.themensnetwork.com/"/> <key-phrase weight="3" presence="required">gay</key-phrase> <key-phrase weight="1">sex</key-phrase> <key-phrase weight="1">XXX</key-phrase> <key-phrase weight="1">videos</key-phrase> <key-phrase weight="1">men</key-phrase> <key-phrase weight="2">ass</key-phrase> <key-phrase weight="3">anal</key-phrase> <key-phrase weight="3">cocks</key-phrase> <key-phrase weight="3">porn</key-phrase> <key-phrase weight="1">guys</key-phrase> </targeting-rule> <targeting-rule hit-count="5" interleave-factor="8" url="http://66.230.217.196/cybersex/sv/studvision.html";> <disabled-by cookie="SV" value="SV" url="http://www.studvision.com/"/> <key-phrase weight="3" presence="required">gay</key-phrase> <key-phrase weight="1">sex</key-phrase> <key-phrase weight="1">XXX</key-phrase> <key-phrase weight="1">videos</key-phrase> <key-phrase weight="1">men</key-phrase> <key-phrase weight="2">ass</key-phrase> <key-phrase weight="3">anal</key-phrase> <key-phrase weight="3">cocks</key-phrase> <key-phrase weight="3">porn</key-phrase> <key-phrase weight="1">guys</key-phrase> </targeting-rule> <targeting-rule hit-count="4" interleave-factor="8" url="http://www.xtremehardcore.com/ad/index.cfm";> <disabled-by cookie="XHC" value="XHC" url="http://www.xtremehardcore.com/"/> <key-phrase weight="2">hot sex</key-phrase> <key-phrase weight="2">hardcore</key-phrase> <key-phrase weight="2">extreme hardcore</key-phrase> <key-phrase weight="2">fucking</key-phrase> <key-phrase weight="2">XXX</key-phrase> <key-phrase>nudity</key-phrase> <key-phrase presence="required">sex</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="5" interleave-factor="8" url="http://66.230.217.196/cybersex/twyw/twyw.html";> <disabled-by cookie="TNYW" value="TNYW" url="http://www.tnyw.com/"/> <key-phrase weight="2">hot sex</key-phrase> <key-phrase>sex</key-phrase> <key-phrase weight="2">hardcore</key-phrase> <key-phrase weight="2">extreme hardcore</key-phrase> <key-phrase weight="2">fucking</key-phrase> <key-phrase weight="2">XXX</key-phrase> <key-phrase>nudity</key-phrase> <key-phrase weight="2">Hardcore</key-phrase> <key-phrase>Sex</key-phrase> <key-phrase weight="4">centerfold</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="3" interleave-factor="8" url="http://66.230.217.196/cybersex/soy/spyonyou.html";> <disabled-by cookie="SOY" value="SOY" url="http://www.spyonyou.com/"/> <disabled-by cookie="SOY" value="SOY" url="http://spyonyou.cybersexent.com/"/> <key-phrase>reality</key-phrase> <key-phrase>TV</key-phrase> <key-phrase>spy</key-phrase> <key-phrase>voyeur</key-phrase> <key-phrase>big brother</key-phrase> <key-phrase>webcam</key-phrase> <key-phrase>videocam</key-phrase> <key-phrase>cam</key-phrase> <key-phrase weight="2">sex</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="3" interleave-factor="8" url="http://66.230.217.196/cybersex/nc/nitechat.html";> <key-phrase presence="illegal">NC member</key-phrase> <key-phrase>dating</key-phrase> <key-phrase>relationship</key-phrase> <key-phrase>love</key-phrase> <key-phrase>personals</key-phrase> <key-phrase>videoconference</key-phrase> <key-phrase>videoconfrencing</key-phrase> <key-phrase>video conferencing</key-phrase> <key-phrase>romance</key-phrase> <key-phrase>cupid</key-phrase> </targeting-rule> <targeting-rule hit-count="4" interleave-factor="5" url="http://66.230.217.196/cybersex/ce/ce.html";> <key-phrase weight="3">hardcore</key-phrase> <key-phrase weight="2">sex</key-phrase> <key-phrase weight="2">girls</key-phrase> <key-phrase weight="1">pussy</key-phrase> <key-phrase weight="1">sluts</key-phrase> <key-phrase weight="2">videos</key-phrase> <key-phrase weight="3">horny</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> <targeting-rule hit-count="4" interleave-factor="5" url="http://66.230.217.196/cybersex/ce/clubx.html";> <disabled-by cookie="ClubX" value="ClubX" url="http://www.mainentrypoint.com/"/> <key-phrase weight="3">hardcore</key-phrase> <key-phrase weight="2">sex</key-phrase> <key-phrase weight="2">girls</key-phrase> <key-phrase weight="1">pussy</key-phrase> <key-phrase weight="1">sluts</key-phrase> <key-phrase weight="2">videos</key-phrase> <key-phrase weight="3">horny</key-phrase> <key-phrase weight="3">lesbian</key-phrase> <key-phrase weight="3">lesbians</key-phrase> <key-phrase presence="illegal">gay</key-phrase> </targeting-rule> </trop> On 28 Sep 2002 at 5:28, Jonathan A. Zdziarski wrote: From: "Jonathan A. Zdziarski" <jonathan () networkdweebs com> To: <incidents () securityfocus com> Copies to: <abuse () yahoo com> Subject: RE: E-Card Remote Code Execution Scam Date sent: Sat, 28 Sep 2002 05:28:48 -0400 Mailer: Microsoft Outlook, Build 10.0.2616
FYI I was incorrect about this originating from yahoo's mail servers.
Hey it's 5am here. At closer look, it appears the sender only did a
HELO using a yahoo mail server's hostname. The actual headers are
below. Ironically linkserve.com's website advertises as "Nigeria's top
ISP".
Received: from linkserve.com ([195.166.232.2])
by elijah.cafejesus.com (8.11.6/8.11.4) with ESMTP id
g8S4s1b07090
for <jonathan () jesuscafe com>; Sat, 28 Sep 2002 00:54:02 -0400
(EDT)
Received: from [208.40.204.2] (HELO mx1.mail.yahoo.com)
by linkserve.com (CommuniGate Pro SMTP 3.5.9)
with ESMTP id 1423750; Sat, 28 Sep 2002 05:43:24 -0100
Message-ID: <00006b79470e$0000264c$00006c7e () mx1 mail yahoo com>
To: <Undisclosed.Recipients>
From: egreetings () yahoo com
Subject: DSPAM: You have recieved and E-Card ]31624
Date: Fri, 27 Sep 2002 21:42:54 -1900
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 1
X-MSMail-Priority: High
MIME-Version: 1.0
X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.3.2 SunOS 5.7 sun4u sparc
Sensitivity: Confidential
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-- Jason Robertson Now at the Nation Research Council. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- RE: E-Card Remote Code Execution Scam Jason Robertson (Sep 29)
- <Possible follow-ups>
- E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 28)
- Re: E-Card Remote Code Execution Scam Jeff Jirsa (Sep 29)
- Re: E-Card Remote Code Execution Scam Axel Pettinger (Sep 29)
- RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
- RE: E-Card Remote Code Execution Scam Jonathan A. Zdziarski (Sep 29)
- RE: E-Card Remote Code Execution Scam Fulton Preston (Sep 29)
- RE: E-Card Remote Code Execution Scam H.Karrenbeld (Sep 29)