Full Disclosure mailing list archives
Re: Virus on web site
From: "Peter B. Harvey (Information Security)" <peterharvey () emergency qld gov au>
Date: Wed, 3 Aug 2005 11:19:59 +1000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all An update the Virus is a HAXDOOR variant which is a backdoor. Symantec and Trend also now detect it. The virus is spread by an iframe or link in an email asking to go to a compromised website. The latest site seen is: http://crbmarketing.com/images/select.html This opens up a two frame page with A hotmail look alike login screen which appears to be used to steal passport credentials to anyone foolish enough to enter them. The other frame is only a couple of pizels high at the top. This opens an IFRAME to http://crbmarketing.com/images/newex.html This page looks like an advert for a samsung phone but contains two objects http://crbmarketing.com/images/msits.exe - The Backdoor http://crbmarketing.com/images/strsp2.js - The Trojan downloader JS_PSYME.AT These emails will get past most content scanners as they are just an HTML email. SPAM engines might catch them. A new variant just came in and it appears to be just using the javascript component http://mistysunshine.com/register/reg.html IFRAME at the top points to http://besttraff.us/top/index.html Again have Javascript turned off before looking at the sites Peter -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQvAbv/2VmmbibZoUEQLYZQCfTi7QdZC2Uka8xNv/WWxf3yoUUcYAn2zi 1iGaOpzMdxX7oHxthDBpe+7B =Goti -----END PGP SIGNATURE----- This correspondence is for the named persons only. It may contain confidential or privileged information or both. No confidentiality or privilege is waived or lost by any mis transmission. If you receive this correspondence in error please delete it from your system immediately and notify the sender. You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient. Any opinions expressed in this message are those of the individual sender except where the sender expressly, and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Virus on web site Peter B. Harvey (Information Security) (Aug 01)
- REGUSTERFLY To The White Courtesy Phone Please? (Was: Re: Virus on web site) J.A. Terranson (Aug 01)
- Re: Virus on web site Johannes Schneider (Aug 02)
- Re: Virus on web site Nick FitzGerald (Aug 02)
- <Possible follow-ups>
- Re: Virus on web site Peter B. Harvey (Information Security) (Aug 02)
- Re: Virus on web site Nick FitzGerald (Aug 02)