New virus?

Tal Kelrich tal at MUSICGENOME.COM
Tue May 11 15:50:20 IST 2004


On Tue, 11 May 2004 15:23:01 +0100
Julian Field <mailscanner at ECS.SOTON.AC.UK> wrote:

> The link points to here:
> http://drs.yahoo.com/ecem.com/NEWS/*http://
> www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/ecem.com/NEWS
> which is all 1 URL. Not sure what the * does, but everything after the
> # is an anchor I guess.
>
> www.security-warning.biz/personal6/maljo24/www.YAHOO.com/
>
> points to a file containing this in the middle of it. I have removed
> the obvious junk, and am left with a bit of javascript code that says
> this:
>
> self.moveTo(5000,5000);
> parent.navigate('terra.html');
>
> which produces
> http://www.danni.com/directors/dannicash?dcwid=100863&redirpg=www.danni.com/free/modelsdir.html
>
> which reaches www.danni.com/free/modelsdir.html which is a pron site.
>

It also downloads and installs some friendly trojan (or downloader, I can't really check) via an IE exploit, which it gets via http://counter.spros.com/1/count.html (do not open with IE, fake useragent if needed)

--
Tal Kelrich
PGP fingerprint: 3EDF FCC5 60BB 4729 AB2F  CAE6 FEC1 9AAC 12B9 AA69
Key Available at: http://www.hasturkun.com/pub.txt
----
The 80's -- when you can't tell hairstyles from chemotherapy.
----

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list