March 30th, 2004, 03:19 PM
New way to foul users in opening attachement. (Good Read)
One of my users got a weird email today.
When I look the html code, I see stuff that is very scary. First, the email is opening a iframe like this one.
From: [email]email@example.com[/email] [mailto:firstname.lastname@example.org]
Sent: March 29, 2004 9:18 AM
Subject: Mail Delivery (failure [email]SDK@Antionline.com[/email])
If the message will not displayed automatically,
follow the link to read the delivered message.
Received message is available at:
And then, the specific text http://www.antionline.com/inbox/cris...essionid-26405 is a hyperlink to cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re
<iframe src="cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re" width=0 height=0>
After reading that CID was (See here for that info - M$ Knowledbe Base 270922), I open the link and the attachments in the email OPEN without prompt if I want to open the attachment or not. It just. (Lucky for me, it was only a txt warning from my mailserver). The link was created http://www.%DomaineName%/inbox/%User...essionid-26405
Basically, this virus was using an iframe to open himself automatically and if this failed, you still have the hyperlink to fool user in opening attachment without warning.
Is this consider a security flaws? (The fact that I don't get a prompt if I want to open the program)
March 30th, 2004, 03:51 PM
Seems like a Beagle or Netsky varialtion virus/worm.
The latest discovered in japan & china yesterday(monday 29-3-04)
And is just detected here in Europe today.
Its a Netsky.Q
infected systems -
Using the MS vulnerability.
Run code of attacker's choice - http://www.microsoft.com/technet/sec.../MS01-020.mspx
(Originally posted: March 29, 2001
Updated: June 23, 2003 ) - So they have been knowing about this vulnerability for some time
now, but stil fails to update newer OS versions. But a new Update has been made
The new netsky.q seems to also being attacing through Internet explore.
About failure to warn when running, is unknown so far.
or if its just a local security failure.
March 30th, 2004, 03:59 PM
March 30th, 2004, 04:01 PM
Beagle.U is also rerunnning..
Seems more of the symptoms you describe
But users might also resive empty mails, with a randomgenerated greeting,
from your own contacts, or own links from your favorites,
so i might look as it came from a "often visited" forum.
the exe file usually have this icon
if you run the exe/cid then it will execute MS-Hearts.
while running mshearts it sends notice to this webserver
(DO NOT GO THERE WITHOUT PROPER PROTECTION
And open a port for the attacker to enter.
while the common users supects this as an MS-Error.
---hmmm might not just consern this topic, just had to share it.
Those to might be the attackers on your system.
March 30th, 2004, 04:04 PM
euh Nihil? If you have a rant, you should continue Gore Rant Thread! Not Mine! *snif* You'll get neg to suicidal until MsMittens do her dance to save the thread?
March 31st, 2004, 03:27 AM
Sounds like I-Worm.Snapper
Reference thread at DSLReports I-Worm.Snapper
March 31st, 2004, 01:55 PM
Still, it's the first time I see a worm exploit the CID in Outlook. This is very good way to fool user in opening attachement!
April 7th, 2004, 01:01 PM
This seems like a very cunning ploy. As a matter of interest, what was the nature of the attachment that was referenced by the CID?
April 7th, 2004, 02:42 PM
The attachment was a virus. (My mail server catch it and report it to me)
April 7th, 2004, 04:51 PM
Yes I just helped out a friend who had an email almost identical, Turned out to be netsky.P