> "mindjail.zip" contains a HTML file, "mindjail.html", which drops and > executes "javax.sun.base.exe" (MD5: 286b884697dffd5a535295dcf5a4c6ea) on > vulnerable systems - see "Self-Executing HTML: Internet Explorer 5.5 and > 6.0 Part II", <http://www.securityfocus.com/archive/1/313174>, for more > information about the vulnerability. > > "javax.sun.base.exe" is an upx'ed SdBot variant. It tries to connect to > "hk.zxy0.com" [64.156.241.176]. Do you know why the messages appeared to stop at 1930 GMT or so yesterday (27 June 2003)? I am told that they just mysteriously stopped around this time on every network they were hitting. (I have been unable to confirm this personally, but I haven't seen mindjail on either of the IRC networks I frequent for over 24 hours now. Sincerely, Chris Ess Systems Administrator / CDTT (Certified Duct Tape Technician) ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jun 29 2003 - 09:54:34 PDT