| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <267B0BD2FE756647B1A0158794E5A67026CA88@BNEEML01.des> Date: Wed Aug 3 02:19:51 2005 From: peterharvey at emergency.qld.gov.au (Peter B. Harvey (Information Security)) Subject: Virus on web site -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all An update the Virus is a HAXDOOR variant which is a backdoor. Symantec and Trend also now detect it. The virus is spread by an iframe or link in an email asking to go to a compromised website. The latest site seen is: http://crbmarketing.com/images/select.html This opens up a two frame page with A hotmail look alike login screen which appears to be used to steal passport credentials to anyone foolish enough to enter them. The other frame is only a couple of pizels high at the top. This opens an IFRAME to http://crbmarketing.com/images/newex.html This page looks like an advert for a samsung phone but contains two objects http://crbmarketing.com/images/msits.exe - The Backdoor http://crbmarketing.com/images/strsp2.js - The Trojan downloader JS_PSYME.AT These emails will get past most content scanners as they are just an HTML email. SPAM engines might catch them. A new variant just came in and it appears to be just using the javascript component http://mistysunshine.com/register/reg.html IFRAME at the top points to http://besttraff.us/top/index.html Again have Javascript turned off before looking at the sites Peter -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQvAbv/2VmmbibZoUEQLYZQCfTi7QdZC2Uka8xNv/WWxf3yoUUcYAn2zi 1iGaOpzMdxX7oHxthDBpe+7B =Goti -----END PGP SIGNATURE----- This correspondence is for the named persons only. It may contain confidential or privileged information or both. No confidentiality or privilege is waived or lost by any mis transmission. If you receive this correspondence in error please delete it from your system immediately and notify the sender. You must not disclose, copy or relay on any part of this correspondence, if you are not the intended recipient. Any opinions expressed in this message are those of the individual sender except where the sender expressly, and with the authority, states them to be the opinions of the Department of Emergency Services, Queensland.
Powered by blists - more mailing lists