Yes, MessageLabs reported on this on Friday, it appears to be the reverse proxy trojan that Symantec describes as Migmaf, other vendors describe it differently. Gaby -----Original Message----- From: Michael J. Pomraning [mailto:mjpat_private] Sent: Saturday, July 26, 2003 9:37 AM To: incidentsat_private Subject: email worm? Newsletter, aaa.exe, caraoke ksp.exe Hello, I last night got a spoofed email inviting me to open its .zip attachment, a .htm containing a base64-encoded file aaa.exe followed by an "Exploit-Codebase" (NAI's classification) javascript springload: sender: adminat_private subject: Newsletter attachment: readme.zip | +--> readme.htm --> { aaa.exe (MIME/b64) + "Exploit-CodeBase" } Strings from aaa.exe suggest that it wants to fetch a fixed URL -- http://64.246.56.74/~caraoke/ksp.exe. This one, in turn, has Windows socket strings. I've not run either, and neither exe was identified by an up-to-date Sophos scanner. Is this a known backdoor, pr0n agent, or similar? I don't have a windows MUA to test with, but I'm assuming it requires manual intervention (unzip the .zip, view the .htm) to trigger, so its spread may be limited. Google didn't turn up much, and Google Groups (searching for the sender) puts this mail in it.news.net-abuse and perl.modules since yesterday. Looks like this one doesn't vary sender/subject/etc. The complete mail is available at http://groups.google.com/groups?selm=B5K823L43FF13H63%40security.org&oe= csn_369103&output=gplain Regards, Mike -- Michael J. Pomraning, CISSP Project Manager, Infrastructure SecurePipe, Inc. - Managed Internet Security ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ********************************************************************** This e-mail is sent by a law firm and contains information that may be privileged and confidential. If you are not the intended recipient, please delete the e-mail and notify us immediately. *********************************************************************** --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 10:17:44 PDT