Full Disclosure mailing list archives
Re: Virus on web site
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 03 Aug 2005 15:07:53 +1200
Peter B. Harvey wrote:
An update the Virus is a HAXDOOR variant which is a backdoor. Symantec and Trend also now detect it.
And most other "major" AV engines -- about an hour before you posted, I got this result from 22 virus scanners with different engines: Win32:Haxdoor-AE [Trj] BDS/Haxdoor.DW.1 BackDoor.Generic.HKX Backdoor.Win32.Haxdoor.dw BackDoor.Haxdoor BackDoor-BAC.gen.b Backdoor.Win32.Haxdoor.DW Trojan Horse Win32/Haxdoor Bck/Haxdoor.DG BKDR_HAXDOOR.CI Troj/Haxdor-Gen Win32.Haxdoor.AF Win32/Banker.50353!Trojan Backdoor.Haxdoor.DM1
The virus is spread by an iframe or link in an email asking to go to a compromised website. The latest site seen is: http://crbmarketing.[...] This opens up a two frame page with A hotmail look alike login screen which appears to be used to steal passport credentials to anyone foolish enough to enter them. The other frame is only a couple of pizels high at the top. This opens an IFRAME to http://crbmarketing.[...] This page looks like an advert for a samsung phone but contains two objects http://crbmarketing.[...] http://crbmarketing.[...] JS_PSYME.AT These emails will get past most content scanners as they are just an HTML email. SPAM engines might catch them. A new variant just came in and it appears to be just using the javascript component http://mistysunshine.[...] IFRAME at the top points to http://besttraff.[...] Again have Javascript turned off before looking at the sites
All those sites are now returning "closed for maintenance" or "closed for ToS abuse" style pages... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Virus on web site Peter B. Harvey (Information Security) (Aug 01)
- REGUSTERFLY To The White Courtesy Phone Please? (Was: Re: Virus on web site) J.A. Terranson (Aug 01)
- Re: Virus on web site Johannes Schneider (Aug 02)
- Re: Virus on web site Nick FitzGerald (Aug 02)
- <Possible follow-ups>
- Re: Virus on web site Peter B. Harvey (Information Security) (Aug 02)
- Re: Virus on web site Nick FitzGerald (Aug 02)