Moderator, this is follow-up to a not yet approved post -- the "ksp.exe" URL is now giving a 404 (as opposed to the 200 OK it gave as recently as 3 hours ago). Looks like the ISP, or site-operator, did the right thing. Good thing, as google group hits for "adminat_private" slowly climb. Regards, Mike -- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Internet Security ---------- Forwarded message ---------- Date: Sat, 26 Jul 2003 08:36:51 -0500 (CDT) From: Michael J. Pomraning <mjpat_private> To: incidentsat_private Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe Hello, I last night got a spoofed email inviting me to open its .zip attachment, a .htm containing a base64-encoded file aaa.exe followed by an "Exploit-Codebase" (NAI's classification) javascript springload: sender: adminat_private subject: Newsletter attachment: readme.zip | +--> readme.htm --> { aaa.exe (MIME/b64) + "Exploit-CodeBase" } Strings from aaa.exe suggest that it wants to fetch a fixed URL -- http://64.246.56.74/~caraoke/ksp.exe. This one, in turn, has Windows socket strings. I've not run either, and neither exe was identified by an up-to-date Sophos scanner. Is this a known backdoor, pr0n agent, or similar? I don't have a windows MUA to test with, but I'm assuming it requires manual intervention (unzip the .zip, view the .htm) to trigger, so its spread may be limited. Google didn't turn up much, and Google Groups (searching for the sender) puts this mail in it.news.net-abuse and perl.modules since yesterday. Looks like this one doesn't vary sender/subject/etc. The complete mail is available at http://groups.google.com/groups?selm=B5K823L43FF13H63%40security.org&oe=csn_369103&output=gplain Regards, Mike -- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Internet Security --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jul 27 2003 - 11:20:44 PDT