Mailing List Archive: Full Disclosure: Full-Disclosure

(no subject)

1 2 3 4 5 6 7 8

View All

Full Disclosure full-disclosure RSS feed

Index | Next | Previous | View Threaded

kalleth at nildram

Aug 20, 2003, 8:55 PM

Post #26 of 180 (3645 views)
Permalink

Re: (no subject) [In reply to]

What an illuminating message.

----- Original Message -----
From: "http-equiv [at] excite" <1 [at] malware>
To: <full-disclosure [at] lists>
Sent: Thursday, August 21, 2003 4:32 AM
Subject: [Full-Disclosure] (no subject)

>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

nick at virus-l

Dec 5, 2003, 3:00 PM

Post #27 of 180 (3656 views)
Permalink

Re: (no subject) [In reply to]

"http-equiv [at] excite" <1 [at] malware> wrote:

> Quite a nifty email scam:
>
> <a
> href="http://www.visa.com
> :Use
> rSession=2f6q9uuu88312264trzzz55884495&usersoption=SecurityUpdate&Sta
> teLevel=GetFrom [at] 61/verified_by_visa.html">http://www.visa
> .com</a>
>
> Note the gap, shows only as visa.com in Outlook Express which takes
> you to visa's site and a rather awkward popup window where the data
> is supposed to be filled in.

Indeed -- this is a classic exploit of a classic case of several
_really, really BAD_ design decisions.

First, some genius (or committee thereof) decided that putting
"userinfo" data into URLs would be a good idea. This was decided
despite it generally being agreed -- as the URL RFC authors note _in
the RFC_ -- to be a bad thing from a security perspective...

Second, and perhaps the largest part of the problem was that the
specification for doing this was designed by people with _ABSOLUTELY
ZERO_ clue about user interfaces, as is shown by their decision to put
userinfo data in front of the target domain. Normally users will only
see URLs without userinfo data, so from a UI perspective it was really
bad design to have a "special case" (that would be rarely used and thus
rarely seen by users) "disturb" the expectation of the user (in
general, that is a recipe for problems). Worse is that the userinfo
data field has, by its nature, to allow for completely arbitrary data
(in terms of length and character set).

Third, and increasingly inexcusable, is that no client s/w (that I am
aware of) that deals with such URLs has _ANY_ kind of sanity checking
or user warning that "something unexpected" may be about to happen. I
would hazard that, because of the general agreement that specifying
userinfo data in URLs is a really bad thing, historically "most" URLs
that the have had a userinfo part have had such for nefarious uses.
Thus, I'd suggest that it is time URL-handling routines stopped
handling userinfo data, at least without prompting the user, or better
still, by default be configured to not handle userinfo (which would
make userinfo handling a candidate for zone-by-zone enabling in IE
where, _at most_, it would only make sense to be enabled by default in
the Trusted Sites zone).

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Valdis.Kletnieks at vt

Dec 5, 2003, 7:18 PM

Post #28 of 180 (3651 views)
Permalink

Re: (no subject) [In reply to]

On Sat, 06 Dec 2003 11:00:35 +1300, Nick FitzGerald <nick [at] virus-l> said:

> First, some genius (or committee thereof) decided that putting
> "userinfo" data into URLs would be a good idea. This was decided
> despite it generally being agreed -- as the URL RFC authors note _in
> the RFC_ -- to be a bad thing from a security perspective...

I'm sure the guys at 61.252.126.191 don't give a flying fornicate in a rolling
donut about how it's a bad thing from a security perspective, seeing how the
PTR for that IP is somewhere in KRNIC.NET controlled space.

Or are we now holding scammers to a higher standard of security than the
actual site admins? :)

Valdis.Kletnieks at vt

Dec 5, 2003, 7:42 PM

Post #29 of 180 (3649 views)
Permalink

Re: (no subject) [In reply to]

On Sat, 06 Dec 2003 11:00:35 +1300, Nick FitzGerald <nick [at] virus-l> said:

> Indeed -- this is a classic exploit of a classic case of several
> _really, really BAD_ design decisions.

Mea culpa. Ignore my previous posting.

I thought you were flaming the guys at visa.com, when most of the blame goes to
the crackheads who desighed the HTTP URI format and the crackheads at MS who
implemented it. ;)

nick at virus-l

Dec 5, 2003, 9:47 PM

Post #30 of 180 (3651 views)
Permalink

Re: (no subject) [In reply to]

Valdis.Kletnieks [at] vt wrote:

> Mea culpa. ...

You're welcome...

> ... Ignore my previous posting.

Thanks -- I wasn't quite sure where you were coming from with that!

> I thought you were flaming the guys at visa.com, when most of the blame goes to

Hmmmmm -- I have often been accused of being abstruse, but I didn't
think I was being so this time. It must be late Friday evening where
you are -- perhaps you should take a break from work (and reading all
these security lists) and do something to relax... 8-)

> the crackheads who desighed the HTTP URI format ...

Yes, and ...

> ... and the crackheads at MS who
> implemented it. ;)

... more "...the crackheads at all web browser implementors..." (though
I did single MS/IE out for specific product design advice).

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Valdis.Kletnieks at vt

Dec 5, 2003, 11:15 PM

Post #31 of 180 (3667 views)
Permalink

Re: (no subject) [In reply to]

On Sat, 06 Dec 2003 17:47:45 +1300, Nick FitzGerald <nick [at] virus-l> said:

> ... more "...the crackheads at all web browser implementors..." (though
> I did single MS/IE out for specific product design advice).

Well.. it's quite possible that the occasional Mozilla or Opera developer did a
rock or two - I've certainly seen my share of Mozilla wonkiness (its idea of
completion in the location bar certainly had a few rocks behind it :)

But the concept that you could implement multi-level security zones *and*
Javascript with its current security model - now THAT must have taken a rock
the size of the Houston Astrodome.... ;)

aditya.deshmukh at online

Feb 7, 2004, 1:22 AM

Post #32 of 180 (3676 views)
Permalink

RE: (no subject) [In reply to]

may i know what exactly is this about ? anyone ever crossed paths with this guy ?
looks like we did but as he was invisible we never knew it - but now it seems that he wanted you to know that he crossed our paths - guy become visible and everyone will know when you cross our paths.

remain invisible and no one will know that you crossed our paths and about the morality bit - that real world, get used to it

> -----Original Message-----
> From: full-disclosure-admin [at] lists
> [mailto:full-disclosure-admin [at] lists]On Behalf Of
> auto33661 [at] hush
> Sent: Saturday, February 07, 2004 7:31 AM
> To: full-disclosure [at] lists
> Subject: [Full-Disclosure] (no subject)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> To those who are in love, that know the same desire. We are more than
> they
> can imagine. Relentless focus. Absence of morality. Transcendence from
> opression. Obsession. Freedom through hacking, freedom through thought.
> Elite.
>
> No interest in your network, no care for you or your business. To travel
> through time and space untouched, invisible; this is my desire and my
> destiny.
>
> I know you are out there, and I know the path you walk. I write this
> with
> great emotion. One day our paths may cross, and they may have crossed
> before.
> I know you understand.
>
> There are many doors into this world. You must find them yourself.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.3
>
> wkYEARECAAYFAkAkRuAACgkQBIJ5HpfLdlY2EgCfe4tWQ+M6TjeJHyfs1tV0mg8Mj/IA
> oLbP3tI/CeQmJBSQH8uW2C4inI9r
> =3NjD
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

dotslash at snosoft

Feb 7, 2004, 12:07 PM

Post #33 of 180 (3660 views)
Permalink

Re: (no subject) [In reply to]

Valdis.Kletnieks [at] vt wrote:
> On Sat, 07 Feb 2004 11:05:38 EST, KF <dotslash [at] snosoft> said:
>
>>Use a friggin subject line fools!
>
>
> OK.. I'll bite. What subject line do you recommend for pointless
mail? ;)

I could care less... so long as it is something relating to the email
that is being sent. When you have 3 people posting (no subejct)
conversations talking about different things its obviously hard to follow.

Searching my inbox as an example I have one that was from
1[at]malware.com perhaps should have been titled "Quite a nifty email
scam ", Some weird poem from auto33661[at]hush.ai that could have been
titled "To those who are in love ", One from jkuperus[at]planet.nl that
could be "Minor IE System Info Disclosure".

Its really NOT that big of a deal... certainly didn't think it required
much discussion. Just a pet peave in regards to following threads.

/end of conversation - no need for more un necessary traffic.
-KF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

madsaxon at direcway

Feb 11, 2004, 3:54 PM

Post #34 of 180 (3650 views)
Permalink

Re: (no subject) [In reply to]

At 04:18 PM 2/11/2004 -0600, roberta bragg wrote:

>300-1,000 words. Essays longer than 1,000 words will not be read.
>
>Oh yeah -- we'll also pay you $50 for your efforts.

$50 for 1,000 words. You must be kidding.

m5x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

cheekypeople at sec33

Feb 11, 2004, 4:11 PM

Post #35 of 180 (3665 views)
Permalink

Re: (no subject) [In reply to]

childish if you ask me...
----- Original Message -----
From: "roberta bragg" <freouwebbe [at] msn>
To: <full-disclosure [at] lists>
Sent: Wednesday, February 11, 2004 10:18 PM
Subject: [Full-Disclosure] (no subject)

>
> Here's an opportunity to be heard by a number of security interested
people,
> many of whom, don't subscribe to this list:
>
>
> Posted on behalf of Keith Ward:
>
>
>
> "Attention all Redmond haters! I'd like to issue a challenge to
>
> readers of this mailing list. I'm the editor of Security Watch, a
>
> newsletter produced by 101communications,
>
> http://www.mcpmag.com/newsletter/. Security Watch contains, among
>
> other items, a weekly commentary by Roberta Bragg. For the upcoming
>
> edition on Monday, I'd like you folks to tell me why you believe
>
> Microsoft just doesn't "get it" when it comes to security. Make
>
> your best pitch, giving specifics on a product or technology that
>
> you think is deserving of scorn; "Microsoft sucks, Bill Gates
>
> sucks, Steve Ballmer sucks" won't make the cut. Make your arguments
>
> sound, your reasoning solid. Please keep your submission between
>
> 300-1,000 words. Essays longer than 1,000 words will not be read.
>
> The following Wednesday, Roberta will give her own answer to the
>
> issue or issues you raise in a special edition of Security Watch.
>
> Oh yeah -- we'll also pay you $50 for your efforts.
>
> This isn't a Microsoft marketing ploy; neither my company nor I has any
> financial relationship with Microsoft. We're an independent media company,
> and my sole purpose in this is to generate healthy debate that will
> hopefully enlighten our readers.
>
> This is your chance to have more than 54,000 subscribers read your
>
> opinions. Tell them what you really think!
>
>
> Please submit your piece to me at keith.ward [at] mcpmag, and
>
> Roberta at roberta.bragg [at] mcpmag Make sure both of us are
>
> recipients. And please do NOT send the essay as an attachment --
>
> put it in the body of the e-mail. Also remember to let us know who
>
> you are, where you are and how to get hold of you, including a
>
> daytime phone number. If we can't contact you, we can't run your
>
> letter. Put "Security Watch Essay" in the Subject line, to make
>
> sure I don't delete it as spam.
>
> By submitting your comments, you give 101communications permission to
> publish them in Security Watch, along with your name.
>
>
> Thanks!
>
> Keith
>
> Keith Ward
> Editor, Security Watch"""
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

SkyLined at edup

Feb 11, 2004, 4:24 PM

Post #36 of 180 (3659 views)
Permalink

Re: (no subject) [In reply to]

Yeah, and no subject, again...

PS. Sorry for the noize ppl.

----- Original Message -----
From: "madsaxon" <madsaxon [at] direcway>
To: <full-disclosure [at] lists>
Sent: Wednesday, February 11, 2004 23:54
Subject: Re: [Full-Disclosure] (no subject)

> At 04:18 PM 2/11/2004 -0600, roberta bragg wrote:
>
> >300-1,000 words. Essays longer than 1,000 words will not be read.
> >
> >Oh yeah -- we'll also pay you $50 for your efforts.
>
> $50 for 1,000 words. You must be kidding.
>
> m5x
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

vogt at hansenet

Feb 13, 2004, 9:27 AM

Post #37 of 180 (3653 views)
Permalink

AW: (no subject) [In reply to]

> It's surprising how much flack my post is generating. If you have good
> change control management in place, you lessen the likelihood of some
> pissed off admin planting time bombs in your system. There is no 100%
> solution to clearing off an admin from an enterprise, but having scripts
> change passwords across the enterprise is a whole like easier than
> having all of the admins running around changing passwords when the CTO
> calls someone in the office for "The Talk."

Good procedure, good solution. Except that you didn't mention it in your
original mail, which only explained "The Button". Not hard to see how us
readers without the telepathy upgrade couldn't know about the procedure
behind it. :)

Tom

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

measl at mfn

Jul 25, 2004, 11:41 AM

Post #38 of 180 (3649 views)
Permalink

Re: (no subject) [In reply to]

On Sun, 25 Jul 2004 adam [at] huntrecruiting wrote:

> Hello all,
>
> I just had a site cracked by some script-kiddy going by RedX.
>
> the little squirt was just being pesky by cracking the passwd for a simple
> store admin and plastering "Hacked by redX" in the php forms not a real hack.
> and he uploaded a file with some stupid logo he made with MS paint what a
> waist of time there was no real hack involved and no access to any important
> info.
>
> just wondering if anybody else has encountered this nobody?
>
> Adam

You'll likely have better luck on the incidents mailing list at
securityfocus.

--
Yours,

J.A. Terranson
sysadmin [at] mfn
0xBD4A95BF

"...justice is a duty towards those whom you love and those whom you do
not. And people's rights will not be harmed if the opponent speaks out
about them." Osama Bin Laden
- - -

"There aught to be limits to freedom!" George Bush
- - -

Which one scares you more?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

vxdude2003 at yahoo

Jul 25, 2004, 3:37 PM

Post #39 of 180 (3661 views)
Permalink

Re: (no subject) [In reply to]

If I may inquire, why would you care about such a
nobody? Are you insulted that a "real" hacker didn't
find your site worthy? It's just a website, why are
you whining? The more you guys whine, the more they
think what they do matters.

-redX

--- adam [at] huntrecruiting wrote:
>
>
> Hello all,
>
> I just had a site cracked by some script-kiddy going
> by RedX.
>
> the little squirt was just being pesky by cracking
> the passwd for a simple
> store admin and plastering "Hacked by redX" in the
> php forms not a real hack.
> and he uploaded a file with some stupid logo he made
> with MS paint what a
> waist of time there was no real hack involved and no
> access to any important
> info.
>
> just wondering if anybody else has encountered this
> nobody?
>
> Adam
>
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

syke at mantissecurity

Jul 25, 2004, 9:09 PM

Post #40 of 180 (3657 views)
Permalink

Re: (no subject) [In reply to]

adam [at] huntrecruiting wrote:

>Hello all,
>
>I just had a site cracked by some script-kiddy going by RedX.
>
>the little squirt was just being pesky by cracking the passwd for a simple
>store admin and plastering "Hacked by redX" in the php forms not a real hack.
>and he uploaded a file with some stupid logo he made with MS paint what a
>waist of time there was no real hack involved and no access to any important
>info.
>
>just wondering if anybody else has encountered this nobody?
>
>Adam
>
>-------------------------------------------------
>This mail sent through IMP: http://horde.org/imp/
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
Who gives a shit? Go search for him on Zone-H.org.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

xillwillx at yahoo

Jul 26, 2004, 3:22 PM

Post #41 of 180 (3659 views)
Permalink

Re: (no subject) [In reply to]

stop crying and learn how to patch your shit.
why email a whole list over some bullshit, youre just
making yourself look incompetent.

--- VX Dude <vxdude2003 [at] yahoo> wrote:
> If I may inquire, why would you care about such a
> nobody? Are you insulted that a "real" hacker
> didn't
> find your site worthy? It's just a website, why are
> you whining? The more you guys whine, the more they
> think what they do matters.
>
> -redX
>
> --- adam [at] huntrecruiting wrote:
> >
> >
> > Hello all,
> >
> > I just had a site cracked by some script-kiddy
> going
> > by RedX.
> >
> > the little squirt was just being pesky by cracking
> > the passwd for a simple
> > store admin and plastering "Hacked by redX" in the
> > php forms not a real hack.
> > and he uploaded a file with some stupid logo he
> made
> > with MS paint what a
> > waist of time there was no real hack involved and
> no
> > access to any important
> > info.
> >
> > just wondering if anybody else has encountered
> this
> > nobody?
> >
> > Adam
> >
> > -------------------------------------------------
> > This mail sent through IMP: http://horde.org/imp/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> >
> http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>

__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

ghamblin at gmail

Jul 27, 2004, 8:56 AM

Post #42 of 180 (3655 views)
Permalink

Re: (no subject) [In reply to]

It doesn't seem to me that Adam said or did anything in asking his
question that should provoke such rude and condescending
responses. It was after all a pretty simple question. I think unless
you have something constructive to say you ought just ignore a
post instead of acting like you've somehow been offended.

Just my .02

Glenn

On Mon, 26 Jul 2004 15:22:47 -0700 (PDT), Will Image
<xillwillx [at] yahoo> wrote:
> stop crying and learn how to patch your shit.
> why email a whole list over some bullshit, youre just
> making yourself look incompetent.
>
> --- VX Dude <vxdude2003 [at] yahoo> wrote:
> > If I may inquire, why would you care about such a
> > nobody? Are you insulted that a "real" hacker
> > didn't
> > find your site worthy? It's just a website, why are
> > you whining? The more you guys whine, the more they
> > think what they do matters.
> >
> > -redX
> >
> > --- adam [at] huntrecruiting wrote:
> > >
> > >
> > > Hello all,
> > >
> > > I just had a site cracked by some script-kiddy
> > going
> > > by RedX.
> > >
> > > the little squirt was just being pesky by cracking
> > > the passwd for a simple
> > > store admin and plastering "Hacked by redX" in the
> > > php forms not a real hack.
> > > and he uploaded a file with some stupid logo he
> > made
> > > with MS paint what a
> > > waist of time there was no real hack involved and
> > no
> > > access to any important
> > > info.
> > >
> > > just wondering if anybody else has encountered
> > this
> > > nobody?
> > >
> > > Adam
> > >
> > > -------------------------------------------------
> > > This mail sent through IMP: http://horde.org/imp/
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter:
> > >
> > http://lists.netsys.com/full-disclosure-charter.html
> > >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - Send 10MB messages!
> > http://promotions.yahoo.com/new_mail
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter:
> > http://lists.netsys.com/full-disclosure-charter.html
> >
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We finish.
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

jgrotegut at directpointe

Aug 9, 2004, 12:03 PM

Post #43 of 180 (3654 views)
Permalink

RE: (no subject) [In reply to]

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty
hard with this email. I am unable to find anything on it, from my VERY
Limited knowledge it appears to be a virus exploiting one of the many
holes in IE. Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

shartmann at fujifilmesys

Aug 9, 2004, 12:31 PM

Post #44 of 180 (3651 views)
Permalink

RE: (no subject) [In reply to]

http://isc.sans.org/

http://www.virustotal.com/xhtml/index_en.html

-----Original Message-----
From: full-disclosure-admin [at] lists
[mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
Grotegut
Sent: Monday, August 09, 2004 3:04 PM
To: Full-disclosure
Subject: RE: [Full-Disclosure] (no subject)

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty hard
with this email. I am unable to find anything on it, from my VERY Limited
knowledge it appears to be a virus exploiting one of the many holes in IE.
Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

toddtowles at brookshires

Aug 9, 2004, 12:32 PM

Post #45 of 180 (3651 views)
Permalink

RE: (no subject) [In reply to]

I am seeing a lot of them too. Just had a call from my e-mail people. I have
one that is new_price.zip (5KB)

There appears to be some people on FD that are infected and we are getting a
lot on my end.

-----Original Message-----
From: full-disclosure-admin [at] lists
[mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
Grotegut
Sent: Monday, August 09, 2004 2:04 PM
To: Full-disclosure
Subject: RE: [Full-Disclosure] (no subject)

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty
hard with this email. I am unable to find anything on it, from my VERY
Limited knowledge it appears to be a virus exploiting one of the many
holes in IE. Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

jgrotegut at directpointe

Aug 9, 2004, 12:32 PM

Post #46 of 180 (3656 views)
Permalink

RE: (no subject) [In reply to]

Todd,

Thanks for the reply it appears to be a new beagle variant.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAG
LE.AC

Jonathan Grotegut

-----Original Message-----
From: Todd Towles [mailto:toddtowles [at] brookshires]
Sent: Monday, August 09, 2004 1:32 PM
To: Jonathan Grotegut; 'Full-disclosure'
Subject: RE: [Full-Disclosure] (no subject)

I am seeing a lot of them too. Just had a call from my e-mail people. I
have
one that is new_price.zip (5KB)

There appears to be some people on FD that are infected and we are
getting a
lot on my end.

-----Original Message-----
From: full-disclosure-admin [at] lists
[mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
Grotegut
Sent: Monday, August 09, 2004 2:04 PM
To: Full-disclosure
Subject: RE: [Full-Disclosure] (no subject)

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty
hard with this email. I am unable to find anything on it, from my VERY
Limited knowledge it appears to be a virus exploiting one of the many
holes in IE. Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Corey.Hart at synopsys

Aug 9, 2004, 12:38 PM

Post #47 of 180 (3743 views)
Permalink

RE: (no subject) [In reply to]

From incidents.org. I appears to be a new W32/Bagel Variant.

Updated August 9th 2004 18:59 UTC (Handler: Jason Lam)
* New Bagle (?) Variant Spreading
New Bagle Variant Spreading

(PRELIMINARY)

We received a number of reports about a new virus. Based on a quick string
analysis, we assume that this will be classified as a new member of the
'Bagle' family. Like prior versions, it includes a lengthy list of URLs.
Infected systems will likely attempt to contact these URLs.

All samples received so far arrive without subject. Attachment names are
price2.zip, new__price.zip, 08_price.zip, and likely others. The text reads
'price' or 'new price'.

According to handler Tom Liston, the virus installs itself as
C:\WINDOWS\System32\WINdirect.exe and runs from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win_upd2.exe

Mitigation

Temporarily quarantine or reject all ZIP attachments until AV vendors
release signatures. You may also want to monitor or block access to the URLs
listed below. Some AV programs do already identify this new version as
malware using generic signatures.

AV Summary (fromhttp://www.virustotal.com )

BitDefender 7.0/20040809 found [JS.Dword.dropper]
ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit]
F-Prot 3.15/20040809 found nothing
Kaspersky 4.0.2.23/20040809 found nothing
McAfee 4383/20040804 found [JS/IllWill]
NOD32v2 1.835/20040806 found [Win32/IE.Dword unknown infection type
(Exploit)]
Norman 5.70.10/20040806 found [W32/Malware]
Panda 7.02.00/20040809 found [Fichero Sospechoso]
Sybari 7.5.1314/20040809 found [JScript/IE.VM.Exploit]
Symantec 8.0/20040808 found nothing
TrendMicro 7.000/20040804 found nothing

List of URLs (and respective IPs)

Note: From past experience, only a small number of these sites is
compromised (if any at all) to update the virus. Most of the sites serve as
decoys. However, virus infected systems will access these sites and if you
for example use a web proxy, you may be able to find infected systems.

We do not know if any of these sites are used to update the code, or if they
are just used to collect information about infected systems.

http://polobeer.de/2.jpg
http://r2626r.de/2.jpg
http://kooltokyo.ru/2.jpg
http://mmag.ru/2.jpg
http://advm1.gm.fh-koeln.de/2.jpg
http://evadia.ru/2.jpg
http://megion.ru/2.jpg
http://molinero-berlin.de/2.jpg
http://dozenten.f1.fhtw-berlin.de/2.jpg
http://shadkhan.ru/2.jpg
http://sacred.ru/2.jpg
http://kypexin.ru/2.jpg
http://www.gantke-net.com/2.jpg
http://www.mcschnaeppchen.com/2.jpg
http://www.rollenspielzirkel.de/2.jpg
http://134.102.228.45/2.jpg
http://196.12.49.27/2.jpg
http://aus-Zeit.com/2.jpg
http://lottery.h11.ru/2.jpg
http://herzog.cs.uni-magdeburg.de/2.jpg
http://yaguark.h10.ru/2.jpg
http://213.188.129.72/2.jpg
http://thorpedo.us/2.jpg
http://szm.sk/2.jpg
http://lars-s.privat.t-online.de/2.jpg
http://www.no-abi2003.de/2.jpg
http://www.mdmedia.org/2.jpg
http://abi-2004.org/2.jpg
http://sovea.de/2.jpg
http://www.porta.de/2.jpg
http://matzlinger.com/2.jpg
http://pocono.ru/2.jpg
http://controltechniques.ru/2.jpg
http://alexey.pioneers.com.ru/2.jpg
http://momentum.ru/2.jpg
http://omegat.ru/2.jpg
http://www.perfectgirls.net/2.jpg
http://porno-mania.net/2.jpg
http://colleen.ai.net/2.jpg
http://ourcj.com/2.jpg
http://free.bestialityhost.com/2.jpg
http://slavarik.ru/2.jpg
http://burn2k.ipupdater.com/2.jpg
http://carabi.ru/2.jpg
http://spbbook.ru/2.jpg
http://binn.ru/2.jpg
http://sbuilder.ru/2.jpg
http://protek.ru/2.jpg
http://www.PlayGround.ru/2.jpg
http://celine.artics.ru/2.jpg
http://www.artics.ru/2.jpg
http://www.laserbuild.ru/2.jpg
http://www.lamatec.com/2.jpg
http://www.sensi.com/2.jpg
http://www.oldtownradio.com/2.jpg
http://www.youbuynow.com/2.jpg
http://64.62.172.118/2.jpg
http://www.tayles.com/2.jpg
http://dodgetheatre.com/2.jpg
http://www.thepositivesideofsports.com/2.jpg
http://www.bridesinrussia.com/2.jpg
http://fairy.dataforce.net/2.jpg
http://www.pakwerk.ru/2.jpg
http://home.profootball.ru/2.jpg
http://www.ankil.ru/2.jpg
http://www.ddosers.net/2.jpg
http://tarkosale.net/2.jpg
http://www.boglen.com/2.jpg
http://change.east.ru/2.jpg
http://www.teatr-estrada.ru/2.jpg
http://www.glass-master.ru/2.jpg
http://www.zeiss.ru/2.jpg
http://www.sposob.ru/2.jpg
http://www.glavriba.ru/2.jpg
http://alfinternational.ru/2.jpg
http://euroviolence.com/2.jpg
http://www.webronet.com/2.jpg
http://www.virtmemb.com/2.jpg
http://www.infognt.com/2.jpg
http://www.vivamedia.ru/2.jpg
http://www.zelnet.ru/2.jpg
http://www.dsmedia.ru/2.jpg
http://www.vendex.ru/2.jpg
http://www.elit-line.ru/2.jpg
http://pixel.co.il/2.jpg
http://www.milm.ru/2.jpg
http://dev.tikls.net/2.jpg
http://www.met.pl/2.jpg
http://www.strefa.pl/2.jpg
http://kafka.punkt.pl/2.jpg
http://www.rubikon.pl/2.jpg
http://www.neostrada.pl/2.jpg
http://werel1.web-gratis.net/2.jpg
http://www.tuhart.net/2.jpg
http://www.antykoncepcja.net/2.jpg
http://www.dami.com.pl/2.jpg
http://vip.pnet.pl/2.jpg
http://www.webzdarma.cz/2.jpg
http://emnesty.w.interia.pl/2.jpg
http://niebo.net/2.jpg
http://strony.wp.pl/2.jpg
http://sec.polbox.pl/2.jpg
http://www.phg.pl/2.jpg
http://emnezz.e-mania.pl/2.jpg
http://www.republika.pl/2.jpg
http://www.silesianet.pl/2.jpg
http://www.republika.pl/2.jpg
http://tdi-router.opola.pl/2.jpg
http://republika.pl/2.jpg
http://infokom.pl/2.jpg
http://silesianet.pl/2.jpg
http://terramail.pl/2.jpg
http://silesianet.pl/2.jpg
http://www.iluminati.kicks-ass.net/2.jpg
http://www.dilver.ru/2.jpg
http://www.yarcity.ru/2.jpg
http://www.scli.ru/2.jpg
http://www.elemental.ru/2.jpg
http://diablo.homelinux.com/2.jpg
http://www.interrybflot.ru/2.jpg
http://www.webpark.pl/2.jpg
http://www.rafani.cz/2.jpg
http://gutemine.wu-wien.ac.at/2.jpg
http://przeglad-tygodnik.pl/2.jpg
http://przeglad-tygodnik.pl/2.jpg
http://pb195.slupsk.sdi.tpnet.pl/2.jpg
http://www.ciachoo.pl/2.jpg
http://cavalierland.5u.com/2.jpg
http://www.nefkom.net/2.jpg
http://rausis.latnet.lv/2.jpg
http://www.hgr.de/2.jpg
http://www.airnav.com/2.jpg
http://www.astoria-stuttgart.de/2.jpg
http://ultimate-best-hgh.0my.net/2.jpg
http://wynnsjammer.proboards18.com/2.jpg
http://www.jewishgen.org/2.jpg
http://www.hack-gegen-rechts.com/2.jpg
http://host.wallstreetcity.com/2.jpg
http://quotes.barchart.com/2.jpg
http://www.aannemers-nederland.nl/2.jpg
http://www.sjgreatdeals.com/2.jpg
http://financial.washingtonpost.com/2.jpg
http://www.biratnagarmun.org.np/2.jpg
http://hsr.zhp.org.pl/2.jpg
http://traveldeals.sidestep.com/2.jpg
http://www.hbz-nrw.de/2.jpg
http://www.ifa-guide.co.uk/2.jpg
http://www.inversorlatino.com/2.jpg
http://www.zhp.gdynia.pl/2.jpg
http://host.businessweek.com/2.jpg
http://packages.debian.or.jp/2.jpg
http://www.math.kobe-u.ac.jp/2.jpg
http://www.k2kapital.com/2.jpg
http://www.tanzen-in-sh.de/2.jpg
http://www.wapf.com/2.jpg
http://www.hgrstrailer.com/2.jpg
http://www.forbes.com/2.jpg
http://www.oshweb.com/2.jpg
http://www.rumbgeo.ru/2.jpg
http://www.dicto.ru/2.jpg
http://www.busheron.ru/2.jpg
http://www.omnicom.ru/2.jpg
http://www.teleline.ru/2.jpg
http://www.dynex.ru/2.jpg
http://www.gamma.vyborg.ru/2.jpg
http://nominal.kaliningrad.ru/2.jpg
http://www.baltmatours.com/2.jpg
http://www.interfoodtd.ru/2.jpg
http://www.baltnet.ru/2.jpg
http://www.neprifan.ru/2.jpg
http://photo.gornet.ru/2.jpg
http://www.aktor.ru/2.jpg
http://catalog.zelnet.ru/2.jpg
http://www.sdsauto.ru/2.jpg
http://www.gradinter.ru/2.jpg
http://www.avant.ru/2.jpg
http://www.porsa.ru/2.jpg
http://www.taom-clan.de/2.jpg
http://www.perfectjewel.com/2.jpg
http://www.vrack.net/2.jpg
http://www.netradar.com/2.jpg
http://www.pgipearls.com/2.jpg
http://www.vconsole.net/2.jpg
http://www.ccbootcamp.com/2.jpg
http://host23.ipowerweb.com/2.jpg
http://www.timelessimages.com/2.jpg
http://www.peterstar.ru/2.jpg
http://www.5100.ru/2.jpg
http://www.gin.ru/2.jpg
http://www.rweb.ru/2.jpg
http://www.metacenter.ru/2.jpg
http://www.biysk.ru/2.jpg
http://www.free-time.ru/2.jpg
http://www.rastt.ru/2.jpg
http://www.chelny.ru/2.jpg
http://www.chat4adult.com/2.jpg
http://www.landofcash.net/2.jpg
http://relay.great.ru/2.jpg
http://www.kefaloniaresorts.com/2.jpg
http://www.epski.gr/2.jpg
http://www.myrtoscorp.com/2.jpg
http://www.aphel.de/2.jpg
http://www.intellect.lvc/2.jpg
http://www.abcdesign.ru/2.jpg

ASN's

680 | 139.6.57.1 | DFN-IP service G-WiN
680 | 141.44.21.8 | DFN-IP service G-WiN
680 | 141.45.186.7 | DFN-IP service G-WiN
680 | 193.30.112.108 | DFN-IP service G-WiN
702 | 194.172.67.203 | AS702 MCI EMEA - Commercial IP
702 | 194.175.222.203 | AS702 MCI EMEA - Commercial IP
1241 | 62.1.1.88 | FORTHNET-GR FORTHnet
1776 | 137.208.3.39 | Wirtschaftsuniversitaet Wien
2118 | 193.124.133.146 | RELCOM-AS RELCOM Autonomous Sy
2118 | 194.135.19.36 | RELCOM-AS RELCOM Autonomous Sy
2588 | 159.148.108.6 | LATNET
2828 | 207.155.252.18 | XOXO XO Communications
2854 | 193.232.88.155 | ROSPRINT-AS RoSprint AS (Globa
2907 | 133.30.64.174 | ERX-SINET-AS National Center f
3209 | 82.82.222.142 | Arcor IP-Network
3216 | 194.154.72.16 | SOVAM-AS Golden Telecom, Mosco
3216 | 194.186.45.233 | SOVAM-AS Golden Telecom, Mosco
3320 | 80.140.195.108 | Deutsche Telekom AG
3320 | 80.142.224.214 | Deutsche Telekom AG
3320 | 80.150.6.138 | Deutsche Telekom AG
3356 | 62.67.235.172 | LEVEL3 Level 3 Communications
3491 | 205.177.28.149 | CAIS CAIS Internet
3561 | 64.14.68.249 | CWU Cable & Wireless USA
4264 | 63.240.4.179 | CERFN California Education and
4436 | 69.22.176.213 | NLAYE nLayer Communications, I
4613 | 202.52.244.4 | MOS-NP Mercantile Office Syste
5616 | 193.192.163.30 | SATNET ASN
5617 | 195.116.39.25 | TPNET Polish Telecom's commerc
5617 | 195.117.150.132 | TPNET Polish Telecom's commerc
5617 | 213.25.234.195 | TPNET Polish Telecom's commerc
5617 | 217.97.186.5 | TPNET Polish Telecom's commerc
5617 | 80.53.119.186 | TPNET Polish Telecom's commerc
6405 | 64.156.241.160 | AI American Information Networ
6690 | 195.131.87.88 | WEBplus Ltd.
6714 | 217.197.68.34 | ATOMNET ATOM SA
6724 | 192.67.198.52 | STRATO Strato AG
6724 | 81.169.145.90 | STRATO Strato AG
6731 | 82.204.131.6 | COMSTAR-AS COMSTAR Telecommuni
6850 | 212.119.181.130 | METROCOM-AS JSC "METROCOM"
6855 | 212.5.219.3 | SK SLOVAK TELECOM, AS6855
6939 | 64.62.155.238 | HURC Hurricane Electric
7018 | 12.129.211.123 | ATTW AT&T WorldNet Services
7201 | 66.54.130.236 | TELESC-7 Telescan, Inc.
7332 | 204.180.42.17 | IQUEST IQuest Internet
7880 | 198.137.221.35 | NEURAL-5 Neural Applications
8001 | 207.99.96.49 | NAC-53 Net Access Corporation
8001 | 216.118.85.172 | NAC-53 Net Access Corporation
8246 | 217.153.166.2 | INTERNET-TECHNOLOGIES-POLSKA-A
8263 | 195.16.118.130 | PORTAL Portal Autonomous Syste
8342 | 195.161.113.7 | RTCOMM-AS RTComm.RU Autonomous
8342 | 217.107.222.118 | RTCOMM-AS RTComm.RU Autonomous
8342 | 81.176.64.92 | RTCOMM-AS RTComm.RU Autonomous
8359 | 62.118.251.84 | MTUONLINE MTU-Intel Moscow reg
8395 | 195.170.45.1 | EAST-AS East Telecom ISP Auton
8402 | 195.14.47.9 | CORBINA-AS Corbina telecom
8402 | 62.205.161.217 | CORBINA-AS Corbina telecom
8515 | 195.42.160.19 | DATAFORCE-AS DataForce
8560 | 195.20.225.29 | SCHLUND-AS Schlund + Partner A
8560 | 212.227.127.212 | SCHLUND-AS Schlund + Partner A
8560 | 82.165.32.146 | SCHLUND-AS Schlund + Partner A
8888 | 212.22.88.39 | COMTAT-AS Comtat Inc. Autonomo
8905 | 212.34.32.4 | SITEK-AS Sitek Global Network
9072 | 212.204.66.1 | AS9072 NEFkom Telekommunikatio
10316 | 216.55.177.49 | ABAC Abacus America Inc.
10843 | 216.117.185.182 | AIT-9 Advanced Internet Techno
11766 | 216.23.217.130 | AISV Alpha Internet Services,
12312 | 217.195.36.50 | TISCALI-DE Tiscali Business Gm
12314 | 212.42.38.194 | ROPNET-AS RopNet Autonomous Sy
12741 | 81.210.1.135 | INTERNETIA-AS Netia Commercial
12827 | 212.77.101.149 | WIRTUALNAPOLSKA Wirtualna Pols
12846 | 212.94.102.68 | AltaiTelecom Autonomous System
12990 | 213.180.128.160 | ONET-PL-AS1 Onet.pl portal net
13095 | 213.150.64.6 | CTK-NET-AS SeverTransCom Netwo
13237 | 217.71.171.55 | LAMBDANET-AS European Backbone
13237 | 81.209.148.231 | LAMBDANET-AS European Backbone
13749 | 207.44.240.78 | EVRY Everyones Internet, Inc.
13749 | 216.127.68.127 | EVRY Everyones Internet, Inc.
13749 | 216.40.226.29 | EVRY Everyones Internet, Inc.
13749 | 66.98.164.63 | EVRY Everyones Internet, Inc.
14744 | 63.251.163.112 | PNAP Internap Network Services
15031 | 216.138.240.196 | WIZN Wiznet Inc.
15276 | 64.89.234.34 | INTUIT-21 Intuitive Logic
15685 | 217.11.237.193 | AS15685 Casablanca INT Autonom
15726 | 217.14.162.3 | MARCANT-AS Marcant Internet Se
15756 | 217.23.157.183 | CARAVAN ISP "CARAVAN"
15756 | 62.213.67.190 | CARAVAN ISP "CARAVAN"
15833 | 62.233.237.195 | FUTURO-AS Futuro Poland Autono
15967 | 194.42.46.253 | NETART NetArt Autonomous Syste
16020 | 217.26.6.4 | TASCOM Tascom Autonomous Syste
16138 | 217.74.64.34 | INTERIAPL INTERIA.PL Autonomou
16676 | 208.169.221.37 | BARCHA Barchart.com, Inc.
16734 | 64.211.248.16 | SMARTB-8 Smartbasket.com
17054 | 216.146.237.140 | EXPEDI-6 e-xpedient
19024 | 64.74.96.249 | PNAP Internap Network Services
19422 | 200.58.141.81 | Movicom BellSouth
20519 | 217.168.64.50 | BALTNET BALTNET Autonomous Sys
20597 | 81.222.134.15 | ELTEL-AS ELTEL.net Autonomous
20712 | 81.187.187.15 | AS20712 Andrews + Arnold Ltd
20797 | 217.199.97.78 | IPASAULE-AS Interneta Pasaule
21123 | 193.109.91.133 | INCENTIAS INCENTI Autonomus Sy
21395 | 193.110.120.26 | TPI tp internet Sp. z o.o.
21480 | 80.250.64.62 | WBT-AS WestBalt Telecom networ
21844 | 69.93.35.242 | THEPL-1 THE PLANET
22653 | 66.154.18.166 | GLOBAL-369 Global Compass, Inc
22725 | 64.94.29.14 | NEWNET-1 New.net, Inc.
23343 | 66.234.224.13 | TRANSB-8 Transbeam Inc.
24587 | 194.246.114.46 | NL-IO Autonomous System for In
24626 | 81.18.138.2 | TTKNN-AS CJSC "TransTelecom-NN
24638 | 81.19.74.88 | RAMBLER-TELECOM-AS Rambler Tel
24930 | 81.31.7.83 | CECOM-AS CECOM Czech
25074 | 213.203.228.23 | INETBONE-AS INET-People Provid
25272 | 80.92.97.12 | SINSTELECOM-AS Autonomous Syst
25308 | 212.118.44.66 | CITYLAN-AS CityLanCom, ISP, Mo
26085 | 66.163.161.45 | YAOO Yahoo!
26201 | 208.185.127.160 | ABOUTC-1 About.com
26914 | 216.195.34.121 | GLOBA-10 Global Netoptex, Inc
29076 | 195.128.50.163 | HOSTER-RU-AS Hoster.RU autonom
29182 | 82.146.33.247 | ISPSYSTEM-AS ISPsystem Autonom
29314 | 82.139.8.2 | DAMINET-AS Telewizja Kablowa D
29339 | 195.137.212.24 | MBBG-AS Markus Bach Betriebs G
30968 | 195.208.235.68 | INFOBOX-AS Net of Alkor Ltd, h

------------
johannes ullrich, jullrich ..at.. sans.org

-----Original Message-----
From: full-disclosure-admin [at] lists
[mailto:full-disclosure-admin [at] lists] On Behalf Of Jonathan
Grotegut
Sent: Monday, August 09, 2004 2:04 PM
To: Full-disclosure
Subject: RE: [Full-Disclosure] (no subject)

(In regards to new_price.zip file attachment)

Anyone have any idea what this is, we had some clients just get pretty hard
with this email. I am unable to find anything on it, from my VERY Limited
knowledge it appears to be a virus exploiting one of the many holes in IE.
Anyone else see anything on this yet?

Jonathan Grotegut

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

bernardo at hispasec

Aug 9, 2004, 12:43 PM

Post #48 of 180 (3661 views)
Permalink

Re: (no subject) [In reply to]

> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?

http://www.incidents.org/diary.php?date=2004-08-09

Scan results (http://www.virustotal.com)
File: price.zip
Date: 08/09/2004 21:41:30
----
BitDefender 7.0/20040809 found [JS.Dword.dropper]
ClamWin devel-20040727/20040809 found [Trojan.JS.RunMe]
eTrustAV-Inoc 4641/20040728 found [JScript/IE.VM.Exploit]
F-Prot 3.15/20040809 found [HTML/ObjData [at] ex]
Kaspersky 4.0.2.23/20040809 found nothing
McAfee 4383/20040804 found [JS/IllWill]
NOD32v2 1.836/20040809 found [Win32/Bagle.AI]
Norman 5.70.10/20040806 found [W32/Malware]
Panda 7.02.00/20040809 found [Fichero Sospechoso]
Sybari 7.5.1314/20040809 found [JS/IllWill]
Symantec 8.0/20040809 found nothing
TrendMicro 7.000/20040809 found [HTML_BAGLE.AC]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

michealespinola at gmail

Aug 9, 2004, 12:43 PM

Post #49 of 180 (3659 views)
Permalink

Re: (no subject) [In reply to]

It's a new variant of the BAGLE worm. Most vendors dont have
definition files still.

On Mon, 9 Aug 2004 13:03:54 -0600, Jonathan Grotegut
<jgrotegut [at] directpointe> wrote:
> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
-Micheal

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Bart.Lansing at kohls

Aug 9, 2004, 12:47 PM

Post #50 of 180 (3657 views)
Permalink

RE: (no subject) [In reply to]

Discovery Date : 8/10/2004 (PHL)
Origin : USA
Description ( updated : 8/9/2004 11:03:26 AM )
There are reports now in the USA of a malware spreading via email. The
file, price.exe, is spread as a ZIP file, and is included in a supposedly
manually-spammed email.

This price.exe file is a downloader and attempts to download a file named
2.jpg from different sites. The sites are currently inaccessible at the
time of this writing.

Infected customers also report a file named as windll.exe running in the
system.

TrendLabs is still currently analyzing the files and will soon post a more
detailed analysis.

--------------------------------------------------------------------------------

EPS Deliverables

Pattern

OPR 953 for WORM_BAGLE.AC
- Pattern under QA Testing 8/9/2004 11:23:44 AM

Thank you,
Fooks, LynnBart Lansing
Manager, Desktop Services
Kohl's IT
262-703-2911

full-disclosure-admin [at] lists wrote on 08/09/2004 02:03:54 PM:

> (In regards to new_price.zip file attachment)
>
> Anyone have any idea what this is, we had some clients just get pretty
> hard with this email. I am unable to find anything on it, from my VERY
> Limited knowledge it appears to be a virus exploiting one of the many
> holes in IE. Anyone else see anything on this yet?
>
> Jonathan Grotegut
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

1 2 3 4 5 6 7 8

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads