Contrary to what your email says, Osama hasn't been captured..

[MrLinus]

Damn virus writers. This is going to fill my email box for days as schmucks open this in hopes of hearing about it first hand that Osama has been captured.

Source:Internet.com

Those "Osama Bin Laden Captured" e-mails hammering your in-box today will attempt to download a Trojan if the embedded URL is clicked, anti-virus experts warned Friday.

Glendale, Calif.-based Panda Software said the URL embedded in the e-mail directs users to what appears to be an advertising page before exploiting a known security vulnerability in Microsoft's Internet Explorer (IE) browser to download the trojan.

The fake news item, purporting to come from CNN or the BBC and promising photographs and video of Bin Laden's capture, first appeared on instant messaging networks earlier this month. According to security analysts, it is yet another use of social engineering tactics by spammers to direct traffic to Web sites.

The "Osama Bin Laden Captured" hoax includes following message text:

"Hey, Just got this from CNN, Osama Bin Laden has been captured! Go to the link below to view the pics and to download the video if you so wish: (Internet address) "Murderous coward he is." God bless America!"

If the link is activated via IE, the browser auto-executes a file called "EXPLOIT.EXE" and downloads an executable trojan, identified as "Trj/Small.B."

The "Small.B" trojan opens ports on an infected machine and can be used to hijack PCs for use as spam zombies. The trojan has the ability to listen on the open port for instructions and redirects traffic to other IP addresses.

"Spammers and hackers can take advantage of compromised systems by using the infected computer as a middleman, allowing them to pass information through it and remain anonymous," according to information provided by McAfee Security.

A spokesperson for anti-virus firm Sophos told internetnews.com the malicious trojan will only affect users using an unpatched IE browser. Microsoft has issued cumulative patches the IE browser to plug known vulnerabilities. The latest updates for Internet Explorer are available here.

[HTRegz]

Happy Happy, Joy Joy..

Now to start searching to see which ports it opens and to cross my fingers that they aren't random. If anyone stumbles across the information, i'd greatly appreciated it if you fired it my way. With all the idiot students in res, I know they're going to be getting it and forwarding it.

*cries and hides under the desk*

Peace,
HT

[Cybr1d]

I just checked all my emails....plenty of spam but no Osama. I'll get back to you as soon as I catch one.

[Tiger Shark]

Ahhhhh...... And I just told my users a month ago that there was no attachment they _can't_ click on safely..... Most of my machines autoupdate from the SUS server.... But some don't yet.... another pain in the place I hate pains..... <sigh>

[Tedob1]

HT:

Once on the user's machine, the Trojan opens a random port and sends the port information to a remote Web server. It then listens on that port for instructions. The Trojan can be used for sending spam, according to McAfee Security, a unit of Network Associates Inc., in Santa Clara, Calif.

http://www.eweek.com/article2/0,1759,1572632,00.asp

BTW the trojen isnt placed useing an attachment but rather is downloaded and run using a vuln in ie when they click on the link. if your patches are up to date on all the user's machnies you should be ok

[HTRegz]

Originally posted here by Tedob1
HT:

Once on the user's machine, the Trojan opens a random port and sends the port information to a remote Web server. It then listens on that port for instructions. The Trojan can be used for sending spam, according to McAfee Security, a unit of Network Associates Inc., in Santa Clara, Calif.

http://www.eweek.com/article2/0,1759,1572632,00.asp

BTW the trojen isnt placed useing an attachment but rather is downloaded and run using a vuln in ie. if your patches are up to date on all the users machnies you should be ok

Damnit, thanks Tedob1... guess I won't be scanning to identify that one, thankfully the colleges firewall and NAT should be enough to keep everyone out, just have to worry about malicious students inside the network.

Peace,
HT

[Tiger Shark]

Got one....

It contains the following text:-

Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Goto the link below for pictures, I will update the page with the video as soon as I can:
http://XXX.XX.XXX.54/pics/ God Bless America!

Interestingly enough something along this "nasty's" travels stripped away the HTML leaving only the text which was handy since the lady receiving it had the preview pane open and since she "belongs" to a sister company I am unsure of their patch level.

I blanked out the IP address because it is still live so I really don't want the skiddies getting themselves a copy of the trojan itself.... PM me if you want the address and if I think you are a fine upstanding young man, or a really cute gal, I'll forward you the IP.... Don't be offended if I politely refuse your request.... I'm a suspicious old fart...... Be offended if the reply contains only "Bwahahahahahahahaha"......