RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe

From: Dowling, Gabrielle (dowlinggat_private)
Date: Sun Jul 27 2003 - 21:27:58 PDT

Next message: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"

Previous message: Harlan Carvey: "Re: Is this enough to identify this by?"
Maybe in reply to: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"
Next in thread: James C. Slora, Jr.: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes, MessageLabs reported on this on Friday, it appears to be the
reverse proxy trojan that Symantec describes as Migmaf, other vendors
describe it differently.

Gaby

-----Original Message-----
From: Michael J. Pomraning [mailto:mjpat_private] 
Sent: Saturday, July 26, 2003 9:37 AM
To: incidentsat_private
Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe

Hello,

I last night got a spoofed email inviting me to open its .zip
attachment, a .htm containing a base64-encoded file aaa.exe followed by
an "Exploit-Codebase" (NAI's classification) javascript springload:

  sender: adminat_private
  subject: Newsletter
  attachment: readme.zip
              |
              +--> readme.htm --> { aaa.exe (MIME/b64) +
"Exploit-CodeBase" }

Strings from aaa.exe suggest that it wants to fetch a fixed URL --
http://64.246.56.74/~caraoke/ksp.exe.  This one, in turn, has Windows
socket strings.  I've not run either, and neither exe was identified by
an up-to-date Sophos scanner.

Is this a known backdoor, pr0n agent, or similar?  I don't have a
windows MUA to test with, but I'm assuming it requires manual
intervention (unzip the .zip, view the .htm) to trigger, so its spread
may be limited.

Google didn't turn up much, and Google Groups (searching for the sender)
puts this mail in it.news.net-abuse and perl.modules since yesterday.
Looks like this one doesn't vary sender/subject/etc.  The complete mail
is available at

http://groups.google.com/groups?selm=B5K823L43FF13H63%40security.org&oe=
csn_369103&output=gplain

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

------------------------------------------------------------------------
---
------------------------------------------------------------------------
----

**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Eric Appelboom: "RE: Exploit for Windows RPC may be in the wild!"
Previous message: Harlan Carvey: "Re: Is this enough to identify this by?"
Maybe in reply to: Michael J. Pomraning: "email worm? Newsletter, aaa.exe, caraoke ksp.exe"
Next in thread: James C. Slora, Jr.: "RE: email worm? Newsletter, aaa.exe, caraoke ksp.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:17:44 PDT