New virus?
Spicer, Kevin
Kevin.Spicer at BMRB.CO.UK
Tue May 11 15:38:42 IST 2004
Rabellino Sergio wrote:
> Remco Barendse wrote:
>> This is the complete contents of the df file of the virus (I would
>> NOT open the url on a Winblows box!):
>>
>> <HTML><HEAD></HEAD><BODY bgColor=#ffffff><DIV><FONT face=Arial
>> size=2><BR><A href="http://drs.yahoo.com/ecem.com/NEWS/*http://
>>
> www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http
://drs.yahoo.com/ecem.com/NEWS">http://drs.yahoo.com/ecem.com/NE
> WS</A></FONT></DIV></BODY></HTML>
Hmm, someone really doesn't want us to find out what they are up to!
Heres what I've found so far...
Any url at http://drs.yahoo.com/ followed by a * redirects to the site following the *
th bit after the # seems to be pointless
www.security-warning.com takes you to terra's website (Spanish ISP I think?)
The specific URL takes to to a page (presumably customer space) that redirects to a page called terra.com in the same directory. That in turn contains the following content, which is mostly javascript obfuscation..... [by the way both pages contains hundreds of lines of whitespace]
<html><head><title>| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | </title>
<script language=javascript>
function stoperror() {
return true
}
window.onerror=stoperror;
self.moveTo(5000,5000);
self.blur();
var args='left=0,top=0,width='+screen.availWidth-60+',height='+screen.availHeight-60+',fullscreen=0,toolbar=1,location=1,directories=0,status=1,menubar=1,scrollbars=1,resizable=1';
window.open('http://www.danni.com/directors/dannicash?dcwid=100863&redirpg=www.danni.com/free/modelsdir.html','',args);
</script>
</head>
<body onFocus="window.blur();" onMouseOver="window.blur();">
<SCRIPT language=JavaScript>
function bcd(str) {
var result = "";
var i = 0;
var x;
var shiftreg = 0;
var count = -1;
for (i=0; i < str.length; i++) {
c = str.charAt(i);
if ('A' <= c && c <= 'Z')
x = str.charCodeAt(i) - 65;
else if ('a' <= c && c <= 'z')
x = str.charCodeAt(i) - 97 + 26;
else if ('0' <= c && c <= '9')
x = str.charCodeAt(i) - 48 + 52;
else if (c == '+')
x = 62;
else if (c == '/')
x = 63;
else
continue;
count++;
switch (count % 4)
{
case 0:
shiftreg = x;
continue;
case 1:
v = (shiftreg<<2) | (x >> 4);
shiftreg = x & 0x0F;
break;
case 2:
v = (shiftreg<<4) | (x >> 2);
shiftreg = x & 0x03;
break;
case 3:
v = (shiftreg<<6) | (x >> 0);
shiftreg = x & 0x00;
break;
}
result = result + String.fromCharCode(v);
}
s=result.toString();
};
</script>
<a target="_top" href="http://t.extreme-dm.com/?login=vrn123">
<img src="http://t1.extreme-dm.com/i.gif" height=1
border=0 width=1 alt=""></a><script language="javascript1.2"><!--
EXs=screen;EXw=EXs.width;navigator.appName!="Netscape"?
EXb=EXs.colorDepth:EXb=EXs.pixelDepth;bcd("PGlmcmFtZSB3aWR0aD0wIGhlaWdodD0wIHNyYz0iaHR0cDovL2NvdW50ZXIuc3Byb3MuY29tLzEvY291bnQuaHRtbCI+PC9pZnJhbWU+");document.writeln(s);//--></script><script language="javascript"><!--
EXd=document;EXw?"":EXw="na";EXb?"":EXb="na";
EXd.write("<img src=\"http://t0.extreme-dm.com",
"/c.g?tag=vrn123&j=y&srw="+EXw+"&srb="+EXb+"&",
"l="+escape(EXd.referrer)+"\" height=1 width=1>");//-->
</script><noscript><img height=1 width=1 alt=""
src="http://t0.extreme-dm.com/c.g?tag=vrn123&j=n"></noscript>
</body></html>
BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.
-------------------------- MailScanner list ----------------------
To leave, send leave mailscanner to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/ and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
More information about the MailScanner
mailing list