Security Incidents mailing list archives

RE: Please tell me I'm wrong: microsoft.com infected

From: "Ken Pfeil" <Ken () infosec101 org>
Date: Wed, 19 Sep 2001 18:27:51 -0400

Must have been 207.46.230.218 'cause it's offline now.

-----Original Message-----
From: Ken Pfeil [mailto:Ken () infosec101 org]
Sent: Wednesday, September 19, 2001 6:26 PM
To: Michael H. Warfield; Steve Cody
Cc: incidents () securityfocus com
Subject: RE: Please tell me I'm wrong: microsoft.com infected


Which system?

Canonical name: www.microsoft.akadns.net
Aliases:
  www.microsoft.com
Addresses:
  207.46.230.218
  207.46.197.102
  207.46.197.100
  207.46.230.220

-----Original Message-----
From: Michael H. Warfield [mailto:mhw () wittsend com]
Sent: Wednesday, September 19, 2001 5:54 PM
To: Steve Cody
Cc: incidents () securityfocus com
Subject: Re: Please tell me I'm wrong: microsoft.com infected


On Wed, Sep 19, 2001 at 03:37:39PM -0400, Steve Cody wrote:

I just went to http://www.microsoft.com/frontpage, and my Symantec
Norton Antivirus popped up and denied access to readme.eml.

I could not view the source of the loaded page, so I can't verify that
it is definitely infected.


    Yes, indeedie do.  Just did a wget
http://www.microsoft.com/frontpage
and here is what's on da bottom:

[html][script language="JavaScript"]window.open("readme.eml",
null, "resizable=no,top=6000,left=6000")[/script][/html]

    Defanged by turning angle brackets into square brackets even though
it's not in an html attachment.  ;-)

Steve

------------------------------------------------------------------
----------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |

http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


------------------------------------------------------------------
----------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Please tell me I'm wrong: microsoft.com infected, (continued)
- Re: Please tell me I'm wrong: microsoft.com infected Rodrigo Goya (Sep 19)
  - Re: Please tell me I'm wrong: microsoft.com infected Nick FitzGerald (Sep 19)
    - Re: Please tell me I'm wrong: microsoft.com infected Johannes Verelst (Sep 19)
- Re: Please tell me I'm wrong: microsoft.com infected Benjamin Franz (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected Brian Morin (Sep 19)
- Re: Please tell me I'm wrong: microsoft.com infected Michael H. Warfield (Sep 19)
- Re: Please tell me I'm wrong: microsoft.com infected Jay D. Dyson (Sep 19)
- Re: Please tell me I'm wrong: microsoft.com infected Jon Zobrist (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected jmiller (Sep 19)
  - Re: Please tell me I'm wrong: microsoft.com infected Rodrigo Goya (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected Ken Pfeil (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected jmiller (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected Craig Humphrey (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected Boyan Krosnov (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected Dave Hart (Sep 19)
- RE: Please tell me I'm wrong: microsoft.com infected David LeBlanc (Sep 19)