-----BEGIN PGP SIGNED MESSAGE----- Hi folks, I received an unusual spam complaint from one of my users here. What's unusual is that I'd not heard about this payload before. While I haven't had time yet to give the payload more than a cursory look, my gut tells me the following is a trojan or worm either deliberately or unintentionally disseminated by an AOL user (using a forged bellsouth.net address). Also of import is that the user who sent this beastie was using Microsoft Outlook (as if that isn't a big enough warning sign). The text accompanying this apparently malicious payload is thus: - -----BEGIN EXCERPT----- It can be disabled at your discretion, although the default configuration is to allow updates. If you want to disable this feature, follow the instructions in the online help documentation under the topic "Turning Attune off and on".\f0\par \par You may not modify, reverse-engineer, decompile, create other works from, or disassemble the software. Similarly, you may not copy, modify, adapt or create other works based upon the Documentation. - ----- END EXCERPT ----- The payload is named "while.com" (did some searching on this term and came up with goose-eggs). Vital statistics on the file are: Filesize : 73,728 bytes MD5 sum : 0cd0a719f9f91630de366c54c427a834 Interesting bits: mshtml.dll (previously ID'd as security risk) TLOSS error SING error DOMAIN error (The above three items strike me as math-intensive, possibly indicating a cracking functionality of some type...or maybe I'm whistling in the dark. Like I said, this is a suspected trojan, not confirmed.) Anyway, with the creepy-crawlies typically associated with Microsoft-sired worms (use of MS Outlook, generic text, unsolicited payload, et cetera), I'm regarding this as a high-probability trojan/worm. Anyone interested in vivisecting this beastie can find a copy of it here: The file: http://www.treachery.net/~jdyson/trojans/while.com MD5 sum : http://www.treachery.net/~jdyson/trojans/while.com.md5 Oh...and in case anyone's wondering, I've already sent off a letter to AOL to let them know about this. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdysonat_private -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPAHReblDRyqRQ2a9AQHg9QP+P1/9NN3JKyToZdn+ACWQE1IRGkWHwHiu JkMBR0xQcmB93EbBP0f1yui9g/Tl+E8ZAGvkQQd3LW665J3fnMMxoeqOnAZsjy3W /owQ1aUJuc6Ki7AU99KQ1gdwV0SO7zFvbNpjSwhpXwhEuj51bwkms3tfw96zRuHi Yj+1XeDe910= =MnN0 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 08:24:29 PST