| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu May 19 02:39:58 2005
From: austinsr at uindy.edu (Shawn Austin)
Subject: A new phishing fraud
Mcafee catches VBS/Soraci when the page is loading.
Writeup of virus from http://vil.nai.com/vil/content/v_101049.htm
*Virus Characteristics:
<javascript:legendwindow('/vil/legend.htm#Charactieristics');>*
This is a file infecting VBScript virus that infects files with
extension HTT, HTM, and HTML. When run, the virus will create or modify
the following registry keys to change the Internet Explorer start page:
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Local Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Start Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
The virus creates the following files:
* %SysDir%\icarOs.dll (2,824 bytes)
* %SysDir%\icarOs2.dll (3,748 bytes)
* %SysDir%\scanregw.vbe (3,718 bytes)
/(Where %SysDir% is the Windows System directory on the system, for
example c:\WINDOWS\SYSTEM.) /
A registry entry is also created to run the virus on Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe
This virus has a malicious payload to restart Windows continuously if
the date is September 26.
m0fo wrote:
> probably, there is a new phishing fraud.
>
> I received a mail saying:
>
> "Please note that this is a system generated email. Please do not
> reply to this email. If you have questions, please click the following
> link or paste it in your browser.
> http://pages.ebay.com/help/basics/select-support.html
>
> eBay Confirmation Center
>
>
> Dear customer,
> During our regular update and verification of the accounts
> we couldn't verify your current information. Either your information
> has changed or it is incomplete. If the account information is not
> updated to current information within 5 days then, your access to bid
> or buy on eBay will be suspended.
> To Update Account, please click the link below
>
>
> click here
>
>
>
> Copyright 1995-2005 eBay Inc. All Rights Reserved.
>
> Designated trademarks and brands are the property of their respective
> owners.
>
> eBay and the eBay logo are trademarks of eBay Inc."
>
>
>
> while im clicking its taking me to
> http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav
> <http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav>=
>
> there its asking for user and pass.
>
>
> Take Care,
>
> Ido.
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists