[9795] in bugtraq
Spam with trojan horse installed
daemon@ATHENA.MIT.EDU (Ansar Mohammed)
Fri Feb 26 11:41:43 1999
Date: Fri, 26 Feb 1999 09:30:04 -0500
Reply-To: Ansar Mohammed <amohammed@CARIB-LINK.NET>
From: Ansar Mohammed <amohammed@CARIB-LINK.NET>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
------=_NextPart_000_002B_01BE616A.9797FAE0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Some idiot sent out the following e-mail a couple days ago:
Goodmorning.
02/23/99
We at mail.yahoo.com are pleased to release this cute little game which =
promises to captive and mesmerize you for hours on end.
Lots of dedication went into the production of this compact little PC =
entertainer. Simply download the file "Yahoo.exe", double-click and let =
the fun begin.
Brandon.
Assistant Director Yahoo Inc.
_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com
// Yahoo.exe is actually the netbus 2.0 server designed to install =
without the user knowing anything.
// The following registry entries were embeded within the exe.
REGEDIT4
[HKEY_CLASSES_ROOT\.dl_]
@=3D"exefile"
"Content Type"=3D"application/x-msdownload"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Rundll32"=3D"rundll2.dl_"
[HKEY_LOCAL_MACHINE\Software\Net Solutions]
[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server]
[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server\General]
"Accept"=3D"1"
"TCPPort"=3D"20043"
"Visibility"=3D"3"
"AccessMode"=3D"2"
[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server\Protection]
"Password"=3D"$\".-("
------=_NextPart_000_002B_01BE616A.9797FAE0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">
<HTML>
<HEAD>
<META content=3Dtext/html;charset=3Diso-8859-1 =
http-equiv=3DContent-Type>
<META content=3D'"MSHTML 4.71.2016.0"' name=3DGENERATOR>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT size=3D2>Some idiot sent out the following e-mail a couple =
days=20
ago:</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>Goodmorning.<BR>02/23/99<BR><BR><BR>We at =
mail.yahoo.com are=20
pleased to release this cute little game which promises to captive and =
mesmerize=20
you for hours on end.<BR><BR>Lots of dedication went into the production =
of this=20
compact little PC entertainer. Simply download the file =
"Yahoo.exe",=20
double-click and let the fun begin.<BR><BR><BR>Brandon.<BR>Assistant =
Director=20
Yahoo =
Inc.<BR>_________________________________________________________<BR>DO=20
YOU YAHOO!?<BR>Get your free @yahoo.com address at <A=20
href=3D"http://mail.yahoo.com">http://mail.yahoo.com</A></FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2>// Yahoo.exe is actually the netbus 2.0 server =
designed to=20
install without the user knowing anything.</FONT> </DIV>
<DIV><FONT size=3D2>// The following registry entries were embeded =
within the=20
exe.</FONT></DIV>
<DIV><FONT size=3D2></FONT> </DIV>
<DIV><FONT size=3D2><FONT face=3DTerminal size=3D1>
<P>REGEDIT4</P>
<P>[HKEY_CLASSES_ROOT\.dl_]</P>
<P>@=3D"exefile"</P>
<P>"Content Type"=3D"application/x-msdownload"</P>
<P>[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]</P>=
<P>"Rundll32"=3D"rundll2.dl_"</P>
<P> </P>
<P>[HKEY_LOCAL_MACHINE\Software\Net Solutions]</P>
<P>[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server]</P>
<P>[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus Server\General]</P>
<P>"Accept"=3D"1"</P>
<P>"TCPPort"=3D"20043"</P>
<P>"Visibility"=3D"3"</P>
<P>"AccessMode"=3D"2"</P>
<P>[HKEY_LOCAL_MACHINE\Software\Net Solutions\NetBus =
Server\Protection]</P>
<P>"Password"=3D"$\".-("</P>
<P> </P>
<P> </P></FONT></FONT></DIV></BODY></HTML>
------=_NextPart_000_002B_01BE616A.9797FAE0--
