email worm? Newsletter, aaa.exe, caraoke ksp.exe (fwd)

From: Michael J. Pomraning (mjpat_private)
Date: Sat Jul 26 2003 - 11:04:02 PDT

Next message: Toby Miller: "RE: Port 0 packets"

Previous message: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Moderator, this is follow-up to a not yet approved post -- the "ksp.exe" URL
is now giving a 404 (as opposed to the 200 OK it gave as recently as 3 hours
ago).

Looks like the ISP, or site-operator, did the right thing.  Good thing, as
google group hits for "adminat_private" slowly climb.

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

---------- Forwarded message ----------
Date: Sat, 26 Jul 2003 08:36:51 -0500 (CDT)
From: Michael J. Pomraning <mjpat_private>
To: incidentsat_private
Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe

Hello,

I last night got a spoofed email inviting me to open its .zip attachment, a
.htm containing a base64-encoded file aaa.exe followed by an
"Exploit-Codebase" (NAI's classification) javascript springload:

  sender: adminat_private
  subject: Newsletter
  attachment: readme.zip
              |
              +--> readme.htm --> { aaa.exe (MIME/b64) + "Exploit-CodeBase" }

Strings from aaa.exe suggest that it wants to fetch a fixed URL --
http://64.246.56.74/~caraoke/ksp.exe.  This one, in turn, has Windows socket
strings.  I've not run either, and neither exe was identified by an up-to-date
Sophos scanner.

Is this a known backdoor, pr0n agent, or similar?  I don't have a windows MUA
to test with, but I'm assuming it requires manual intervention (unzip the .zip,
view the .htm) to trigger, so its spread may be limited.

Google didn't turn up much, and Google Groups (searching for the sender) puts
this mail in it.news.net-abuse and perl.modules since yesterday.  Looks like
this one doesn't vary sender/subject/etc.  The complete mail is available at

  http://groups.google.com/groups?selm=B5K823L43FF13H63%40security.org&oe=csn_369103&output=gplain

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Toby Miller: "RE: Port 0 packets"
Previous message: Compton, Rich: "Exploit for Windows RPC may be in the wild!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:20:44 PDT