Full Disclosure mailing list archives
Re: A new phishing fraud
From: Shawn Austin <austinsr () uindy edu>
Date: Wed, 18 May 2005 20:39:50 -0500
Mcafee catches VBS/Soraci when the page is loading. Writeup of virus from http://vil.nai.com/vil/content/v_101049.htm*Virus Characteristics: <javascript:legendwindow('/vil/legend.htm#Charactieristics');>*
This is a file infecting VBScript virus that infects files with extension HTT, HTM, and HTML. When run, the virus will create or modify the following registry keys to change the Internet Explorer start page:
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Local Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Start Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
The virus creates the following files:
* %SysDir%\icarOs.dll (2,824 bytes)
* %SysDir%\icarOs2.dll (3,748 bytes)
* %SysDir%\scanregw.vbe (3,718 bytes)
/(Where %SysDir% is the Windows System directory on the system, for
example c:\WINDOWS\SYSTEM.) /
A registry entry is also created to run the virus on Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe
This virus has a malicious payload to restart Windows continuously if
the date is September 26.
m0fo wrote:
probably, there is a new phishing fraud. I received a mail saying:"Please note that this is a system generated email. Please do not reply to this email. If you have questions, please click the following link or paste it in your browser. http://pages.ebay.com/help/basics/select-support.html eBay Confirmation Center Dear customer,During our regular update and verification of the accountswe couldn't verify your current information. Either your information has changed or it is incomplete. If the account information is not updated to current information within 5 days then, your access to bid or buy on eBay will be suspended.To Update Account, please click the link belowclick here Copyright 1995-2005 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. eBay and the eBay logo are trademarks of eBay Inc." while im clicking its taking me to http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav <http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav>= there its asking for user and pass.Take Care,Ido.------------------------------------------------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- A new phishing fraud m0fo (May 18)
- Re: A new phishing fraud Shawn Austin (May 18)