-
March 30th, 2004, 04:19 PM
#1
New way to foul users in opening attachement. (Good Read)
One of my users got a weird email today.
PHP Code:
-----Original Message-----
From: [email]001850@smtp.hispeed.ch[/email] [mailto:001850@smtp.hispeed.ch]
Sent: March 29, 2004 9:18 AM
To: [email]SDK@Antionline.com[/email]
Subject: Mail Delivery (failure [email]SDK@Antionline.com[/email])
If the message will not displayed automatically,
follow the link to read the delivered message.
Received message is available at:
[url]www.antionline.com/inbox/SDK/read.php?sessionid-26405[/url]
When I look the html code, I see stuff that is very scary. First, the email is opening a iframe like this one.
PHP Code:
<iframe src="cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re" width=0 height=0>
</iframe>
And then, the specific text http://www.antionline.com/inbox/cris...essionid-26405 is a hyperlink to cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re
After reading that CID was (See here for that info - M$ Knowledbe Base 270922), I open the link and the attachments in the email OPEN without prompt if I want to open the attachment or not. It just. (Lucky for me, it was only a txt warning from my mailserver). The link was created http://www.%DomaineName%/inbox/%User...essionid-26405
Basically, this virus was using an iframe to open himself automatically and if this failed, you still have the hyperlink to fool user in opening attachment without warning.
Is this consider a security flaws? (The fact that I don't get a prompt if I want to open the program)
-
March 30th, 2004, 04:51 PM
#2
Junior Member
Seems like a Beagle or Netsky varialtion virus/worm.
The latest discovered in japan & china yesterday(monday 29-3-04)
And is just detected here in Europe today.
Its a Netsky.Q
infected systems -
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows XP
Using the MS vulnerability.
Run code of attacker's choice - http://www.microsoft.com/technet/sec.../MS01-020.mspx
(Originally posted: March 29, 2001
Updated: June 23, 2003 ) - So they have been knowing about this vulnerability for some time
now, but stil fails to update newer OS versions. But a new Update has been made
availible http://www.microsoft.com/windows/ie/...08/default.asp
The new netsky.q seems to also being attacing through Internet explore.
About failure to warn when running, is unknown so far.
or if its just a local security failure.
-
March 30th, 2004, 04:59 PM
#3
-
March 30th, 2004, 05:01 PM
#4
Junior Member
Oh.., BTW...
Beagle.U is also rerunnning..
Seems more of the symptoms you describe
But users might also resive empty mails, with a randomgenerated greeting,
from your own contacts, or own links from your favorites,
so i might look as it came from a "often visited" forum.
the exe file usually have this icon
http://i.tdconline.dk/pics/7/2/3/29327/140x105.jpg
if you run the exe/cid then it will execute MS-Hearts.
while running mshearts it sends notice to this webserver
(DO NOT GO THERE WITHOUT PROPER PROTECTION
http://www.(-->Security-REMOVE-THIS<--)werde.de/5.php
And open a port for the attacker to enter.
while the common users supects this as an MS-Error.
---hmmm might not just consern this topic, just had to share it.
Those to might be the attackers on your system.
-
March 30th, 2004, 05:04 PM
#5
euh Nihil? If you have a rant, you should continue Gore Rant Thread! Not Mine! *snif* You'll get neg to suicidal until MsMittens do her dance to save the thread?
-
March 31st, 2004, 04:27 AM
#6
Member
Sounds like I-Worm.Snapper
Reference thread at DSLReports I-Worm.Snapper
-
March 31st, 2004, 02:55 PM
#7
Still, it's the first time I see a worm exploit the CID in Outlook. This is very good way to fool user in opening attachement!
-
April 7th, 2004, 01:01 PM
#8
Member
This seems like a very cunning ploy. As a matter of interest, what was the nature of the attachment that was referenced by the CID?
-
April 7th, 2004, 02:42 PM
#9
The attachment was a virus. (My mail server catch it and report it to me)
-
April 7th, 2004, 04:51 PM
#10
Yes I just helped out a friend who had an email almost identical, Turned out to be netsky.P
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|