IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / Got it here this morning (in Australia)
Post #113,016
by dmarker
Picture of dmarker
8/7/03 6:01:46 AM
8/7/03 6:02:28 AM
Reply
New Got it here this morning (in Australia)
It looked weird because it claimed to be from the admin of my own web site (& I am that admin :-)

So I carted the zip to an isolation PC & took a look at it. Seems it is a *.html page in the zip & when opened all you see is a black dot in the middle

But,

Then you can expect to see the network lights start flashing like crazy.

As far as I can tell it is a variation of the script kiddie mail accounts hack - It possibly send mail out to everyone on an Exchange mail list.

Am not sure it is damaging but it sure was packaged up in a way to get past more peoples defences.

Cheers

Doug

(PS Isolation machine is a WinXP Home edition box with up-to-date security :-)
Collapse Edited by dmarker Aug. 7, 2003, 06:02:28 AM EDT
Got it here this morning (in Australia)

It looked weird because it claimed to be from the admin of my own web site (& I am that admin :-)

So I carted the zip to an isolation PC & took a look at it. Seems it is a *.html page in the zip & when opened all you see is a black dot in the middle

But,

Then you can expect to see the network lights start flashing like crazy.

As far as I can tell it is a variation of the script kiddie mail accounts hack - It possibly send mail out to everyone on an Exchange mail list.

Am not sure it is damaging but it sure was packaged up in a way to get past more peoples defences.

Cheers

Doug
Collapse All History
Post #113,025
by static
8/7/03 9:02:25 AM
Reply
New My team leader saw it yesterday.
The admin at one of our clients had a user who found it and they wanted to know what it was. Since we run a) FreeBSD on our desktops and b) a custom email client (it's our business - the client runs it too) he decided he'd be more than safe to look at it.

The "from your admin" bit is a new piece of social engineering. Fortunately, the user at our client simply called the admin guy up instead of opening it! :-) Wouldn't work for me either: I'm my own admin. And my colleague noted that ISPs personalise email to you, so it wouldn't masquerade as that very well, either.

Wade.

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #113,167
by dmarker
Picture of dmarker
8/8/03 7:32:44 AM
Reply
New I took a closer look at it - Microsoft will be miffed !!!

It searches through software on the infected PC looking for email strings (it seems it may even scan binaries but I am not completely sure).

Anyway, this isolation PC has no exchage accounts but the virus found a string of email addresses mostly to do with the software installed on the PC & Microsoft was one of them.

It seems it then checks for an email server at that ip address & then constructs its message plus a copy of the virus.

I have no idea if it would have worked had we opened it with Netscape on the isolation machine (we have bothered to put Netscape on it).

Clever variation on the theme.
PS - seems it came from Russia.

Cheers

Doug
     New virus. Receive same warning from our network security - (jbrabeck) - (10) - Aug. 4, 2003, 09:53:43 AM EDT
         I got such an email today. - (a6l6e6x) - Aug. 4, 2003, 12:40:29 PM EDT
         Got it here as well. - (inthane-chan) - Aug. 4, 2003, 02:27:44 PM EDT
         It arrived here as well, but OS/2 is immune. NEXT CASE!! :-) -NT - (n3jja) - Aug. 6, 2003, 10:39:13 PM EDT
         Got it here this morning (in Australia) - (dmarker) - (2) - Aug. 7, 2003, 06:02:28 AM EDT
             My team leader saw it yesterday. - (static) - (1) - Aug. 7, 2003, 09:02:25 AM EDT
                 I took a closer look at it - Microsoft will be miffed !!! - (dmarker) - Aug. 8, 2003, 07:32:44 AM EDT
         Got it at work last Friday; sneaky social engineering - (bbronson) - (2) - Aug. 7, 2003, 02:10:37 PM EDT
             Removing it is a fairly easy process ... - (dmarker) - (1) - Aug. 8, 2003, 07:39:49 AM EDT
                 Didn't get infected; called helpdesk so I never opened it - (bbronson) - Aug. 8, 2003, 01:31:08 PM EDT
         Same old underlying problem, glossed over as usual - (rickmoen) - Aug. 8, 2003, 08:02:31 PM EDT

An "Outside Context Problem" if ever there was one.
38 ms