New way to foul users in opening attachement. (Good Read)
Results 1 to 10 of 10

Thread: New way to foul users in opening attachement. (Good Read)

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    New way to foul users in opening attachement. (Good Read)

    One of my users got a weird email today.

    PHP Code:
    -----Original Message-----
    From: [email]001850@smtp.hispeed.ch[/email] [mailto:001850@smtp.hispeed.ch
    SentMarch 292004 9:18 AM
    To
    : [email]SDK@Antionline.com[/email]
    SubjectMail Delivery (failure [email]SDK@Antionline.com[/email])

    If 
    the message will not displayed automatically,
    follow the link to read the delivered message.

    Received message is available at:
    [
    url]www.antionline.com/inbox/SDK/read.php?sessionid-26405[/url
    When I look the html code, I see stuff that is very scary. First, the email is opening a iframe like this one.
    PHP Code:
    <iframe src="cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re" width=0 height=0>
    &
    lt;/iframe&gt
    And then, the specific text http://www.antionline.com/inbox/cris...essionid-26405 is a hyperlink to cid:031401Mfdab4$3f3dL780$73387018@57W81fa70Re

    After reading that CID was (See here for that info - M$ Knowledbe Base 270922), I open the link and the attachments in the email OPEN without prompt if I want to open the attachment or not. It just. (Lucky for me, it was only a txt warning from my mailserver). The link was created http://www.%DomaineName%/inbox/%User...essionid-26405

    Basically, this virus was using an iframe to open himself automatically and if this failed, you still have the hyperlink to fool user in opening attachment without warning.

    Is this consider a security flaws? (The fact that I don't get a prompt if I want to open the program)
    -Simon \"SDK\"

  2. #2
    Junior Member
    Join Date
    Mar 2004
    Posts
    6
    Seems like a Beagle or Netsky varialtion virus/worm.

    The latest discovered in japan & china yesterday(monday 29-3-04)
    And is just detected here in Europe today.
    Its a Netsky.Q

    infected systems -
    Windows 2000
    Windows 95
    Windows 98
    Windows Me
    Windows NT
    Windows XP

    Using the MS vulnerability.
    Run code of attacker's choice - http://www.microsoft.com/technet/sec.../MS01-020.mspx

    (Originally posted: March 29, 2001
    Updated: June 23, 2003 ) - So they have been knowing about this vulnerability for some time
    now, but stil fails to update newer OS versions. But a new Update has been made
    availible http://www.microsoft.com/windows/ie/...08/default.asp

    The new netsky.q seems to also being attacing through Internet explore.

    About failure to warn when running, is unknown so far.
    or if its just a local security failure.

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178


    No..................your Swiss bank manager wanted to know if you could switch money to my scumaccount

    You cannot.............it is full..........of drug money and Nazi war loot?.................I dislike them intensely, would never buy anything .ch and will continue not to do so.........smarmy $$%^%^&s

    It is the old problem of "internationality" of crime?...........you only need one shower of lying cheating scum?

    Thankfully, Uncle Sam is powerfull enough to scare them into surrendering all data.............they should be made to account for all that they have..............or die!!...anything unaccounted for might be "donated" to UNICEF?

    Go on......neg me......then I will see the hypocrites here?

    "Swiss Banker"

    I have other words?

    No appologies, I stand by that..........errrrr where do you think these 9/11 terrorists handle their money?????????????????

    My personal opinion
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Junior Member
    Join Date
    Mar 2004
    Posts
    6
    Oh.., BTW...

    Beagle.U is also rerunnning..
    Seems more of the symptoms you describe

    But users might also resive empty mails, with a randomgenerated greeting,
    from your own contacts, or own links from your favorites,
    so i might look as it came from a "often visited" forum.

    the exe file usually have this icon
    http://i.tdconline.dk/pics/7/2/3/29327/140x105.jpg

    if you run the exe/cid then it will execute MS-Hearts.
    while running mshearts it sends notice to this webserver
    (DO NOT GO THERE WITHOUT PROPER PROTECTION
    http://www.(-->Security-REMOVE-THIS<--)werde.de/5.php

    And open a port for the attacker to enter.
    while the common users supects this as an MS-Error.

    ---hmmm might not just consern this topic, just had to share it.

    Those to might be the attackers on your system.

  5. #5
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    euh Nihil? If you have a rant, you should continue Gore Rant Thread! Not Mine! *snif* You'll get neg to suicidal until MsMittens do her dance to save the thread?
    -Simon \"SDK\"

  6. #6
    Member
    Join Date
    Feb 2004
    Posts
    30
    Sounds like I-Worm.Snapper

    Reference thread at DSLReports I-Worm.Snapper

  7. #7
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Still, it's the first time I see a worm exploit the CID in Outlook. This is very good way to fool user in opening attachement!
    -Simon \"SDK\"

  8. #8
    Member
    Join Date
    Sep 2001
    Posts
    37
    This seems like a very cunning ploy. As a matter of interest, what was the nature of the attachment that was referenced by the CID?

  9. #9
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    The attachment was a virus. (My mail server catch it and report it to me)
    -Simon \"SDK\"

  10. #10
    Member
    Join Date
    Apr 2003
    Posts
    95
    Yes I just helped out a friend who had an email almost identical, Turned out to be netsky.P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides