FYI -----Original Message----- From: [EMAIL PROTECTED] [mailto:VirusEye@;messagelabs.com] Sent: Tuesday, November 12, 2002 16:45 To: VirusEye Subscriber Subject: WARNING: Computer hackers mass-mailing trojans 12 Nov 2002 *Computer hackers mass-mailing trojans* MessageLabs is currently intercepting hackers who are mass-mailing trojans to unsuspecting users. The spread of this new threat suggests that infected machines could potentially be used in some kind of large-scale coordinated Internet hacking activity The details of the trojan are as follows: Trojan name: Maz Aliases: W32/Maz.A, Downloader-BO Number of copies seen so far: 280 Time & Date first Captured: 10 Nov 2002, 14:58 GMT Origin of first intercepted copy: UK Number of countries seen active: 32 Top five most active countries: United States 60.7% Canada 9.3% Korea (South) 5.0% Great Britain 3.2% Mexico 2.1% *Technical Details* The Maz trojan connects to a URL, which has since been closed down, to register the location of the machine which has been compromised. It then proceeds to download a further component. Currently, this additional component is a backdoor Trojan (Backdoor-AML), but this may readily change if the website is updated or changed. Amongst other things, Backdoor-AML allows the remote hacker to use the compromised machine as an SMTP relay using TCP port 4668, from which further attacks may be launched. By analysing the pattern of IP addresses from which MessageLabs have intercepted this Trojan to date, it is likely that the hacker is compromising PCs and then using these machines to send more copies of the Trojan. It is possible that the hacker may also be using open-relay mail servers. It appears that the hacker, or group of hackers, is trying to amass a virtual army of trojans to perform some kind of coordinated hacking activity in the future. *Behaviour* In the copies of e-mails that we have stopped, the mail created seems to have been generated from a poorly configured Ratware mailer. It seems as though the replaceable parameters have not been replaced. For example: Subject: mail (space) (space) Text: (space) Hello! (space) check (space) out (space) (space), the best (space) FREE (space) site! (space) Message ID: (variable number) (space) MessageNumber: (variable number) (space) Attachment: masteraz.exe The e-mail utilises the well-documented Microsoft MS01-020 vulnerability to automatically execute the attachment on un-patched systems. In copies that we have intercepted, it appears to have a website download component, and contains several encoded URLs XORed with 0x4D, for example: (link to website removed)/country/get.pl (link to website removed)/counter.c NB: counter.c is actually a backdoor program, which it downloads. *Comment* SkepticT detected this trojan heuristically. No MessageLabs customers were affected. ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
