[38930] in bugtraq
worm "postcard" e-mail issue
daemon@ATHENA.MIT.EDU (M. Perri)
Fri May 20 14:23:58 2005
Message-Id: <5.2.0.9.2.20050519123651.03060780@mail.icorp.net>
Date: Thu, 19 May 2005 12:38:21 -0500
To: bugtraq@securityfocus.com
From: "M. Perri" <icc-mysql@icorp.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: 8bit
Be advised there is a new worm spreading. It says you have received a
postcard with a link to click to see the postcard, however, the URL first
goes to some dsl customer in canada who has been comprised and some sort of
javascript is run on the local machine... nut sure what it does....
Can anyone confirm what systems may be vulnerable to this attack?
Initial suspicious code which performs a redirect:
#telnet 68.146.201.132 8180
Trying 68.146.201.132...
Connected to S010600c09f51432d.cg.shawcable.net.
Escape character is '^]'.
GET /090/
HTTP/1.0 200
<-------html><head><s----cript language="javascript">
var k,r,c,n,u=9 ;var h=document.links;function L(x){if(h[x].text)return
h[x].text;var z,s=h[x].hash;if(s && s!="#"){if(s.substring(0,1)=="#")return
s.substring(1,200);return
s;}s=h[x].href;if(s){if(location.href.indexOf(s)==0)return
"../";if(!x)return "../";z=s.lastIndexOf("#");if(z>=0)return
s.substring(z+1,200);z=s.lastIndexOf("/");if(z>=0){if(z>=(s.length-1))z=s.lastIndexOf("/",z-1);if(z>=0)return
s.substring(z+1,200);}return s;}return h[x].pathname;}function M(a,b){var
x,y;x=L(a*3+k+6);y=L(b*3+k+6);if(k==1 || k==4){x*=2;y*=2;}if(x>y)return
r;if(x<y)return -r;return 0;};function A(x,y){var z=x+3;return "<b><a
href='javascript:O("+x+");'>"+y+" /\ </a> - <a
href='javascript:O("+z+");'>\/</a></b></td>";};function S(){return
"cript>";}function F(x,y){return "<td><a href='" + L(y) + ((y==x)?"":"#" +
L(x)) + "'>" + L(x) + "</a></td>";};function O(z){var
i,j,w,o;r=1;k=z;if(k>=3){r=-1;k-=3;}c=(document.links.length-u)/3;
u=6;n=new Array(c);for(i=0;i<c;++i)n[i]=i;n.sort(M);o="<scr"+"ipt
language=javascript>var k,r,c,n,u=6; var
h=document.links;"+L.toString()+M.toString()+A.toString()+F.toString()+O.toString()+S.toString()+"\n</s";o+=S()
+ "<table border=0 width=100% bgcolor=#f0f0ff><tr bgcolor=#aaaaff><td
width=50%>"+A(0,"Name")+"<td
width=15%>"+A(1,"Size")+"<td>"+A(2,"Date")+"</tr>";for(i=0;i<c;++i){j=n[i]*3+6;o+="<tr>"
+ F(j,j) + F(j+1,j) + F(j+2,j) +
"</tr>";};w=document;o+="</table><hr>";w.open();w.write(o);w.close();o="";delete
n;}
</script></head><body><table border=0 width=100% bgcolor=#f0f0ff><tr
bgcolor=#aaaaff><td width=50%><b><a href="javascript:O(0);">Name /\</a> -
<a href="javascript:O(3);">\/</a></b></td><td><b><a
href="javascript:O(1);">Size /\</a> - <a
href="javascript:O(4);">\/</a></b></td><td><b><a
href="javascript:O(2);">Date /\</a> - <a
href="javascript:O(5);">\/</a></b></td></tr></table><hr><br><center><table
width=500 height=60 border=1 cellspacing=0 cellpadding=1><tr vallign=top
cellpadding=0 cellspacing=0><td height=4 bgcolor=#8030e0> <table width=494
height=8 border=0 cellspacing=0 cellpadding=1><tr cellpadding=1
cellspacing=0><td bgcolor=#5030a0 width=60 height=4><font size=0
color=#ffffff class=f3>Unregistred</font></td><td bgcolor=#6030b0 width=60
height=4><font size=0 color=#ffffff class=f3>copy</font></td><td
bgcolor=#7030c0 width=60 height=4 align=right><font size=0 color=#ffffff
class=f3>of <b>Small</b></font></td><td bgcolor=#8030d0 height=4><font
size=0 color=#ffffff class=f3><b>HTTP server</b></font></td><td
bgcolor=#9030e0 width=60 height=4><font size=0
class=f3> </font></td><td bgcolor=#a030f0 width=60 height=4><font
size=0 class=f3> </font></td><td bgcolor=#b030ff width=60
height=4><font size=0 class=f3> </font></td><td bgcolor=#c0c0c0
width=12 height=4><a href=http://srv.mf.inc.ru/news.htm><font size=0
color=#00c0f0 class=f3><b>/\\</b></font></a></td>ать
рекламу</font></b></a></td></tr></table></center><br>Connection closed by
foreign host.
