|
|
|
|
10-03-2004, 05:48 PM
|
#1 |
Yet another trojan?
I've seen a number of messages looking like this, they just get
deleted, but what exactly are they ? Is this another attempt to execute code on MS Outluck? -------------------- - Home directory: The location of the home directory varies by platform. Windows 98 (single-user): C:\Windows Windows 98 (multi-user): C:\Windows\Profiles Windows 2000/XP: C:\Documents and Settings -----BEGIN BLOCK----- F%D5%CDU%C2%058%E5%9A%D5%7D%85 JJ%E3%DF%D7o%C1%1F%60%EA%F0%B2 etc ... -- Jim Watt http://www.gibnet.com Jim Watt |
|
|
|
10-03-2004, 11:57 PM
|
#2 |
|
Posts: n/a
|
Re: Yet another trojan?
"Jim Watt" wrote...
> I've seen a number of messages looking like this, So have I - since about the end of August. > they just get deleted, but what exactly are they ? Just spammer nonsense, I think. > Is this another attempt to execute code on MS Outluck? The block displays as plain text. I can't make sense of it as executable code after escaping. I've seen examples of spam containing these blocks, which also contain an encoded javascript. This is the real exploit. It contains an iframe with a URL to a site hosting a trojan. The idea is that this gets silently downloaded and installed if you're unlucky enough to preview or open it with OE. Easy enough to avoid with the proper security settings. OE should be in the restricted zone, which should of course have scripting disabled. > - Home directory: The location of the home directory varies by > platform. > Windows 98 (single-user): C:\Windows > Windows 98 (multi-user): C:\Windows\Profiles > Windows 2000/XP: C:\Documents and Settings > > -----BEGIN BLOCK----- > F%D5%CDU%C2%058%E5%9A%D5%7D%85 > JJ%E3%DF%D7o%C1%1F%60%EA%F0%B2 > > etc ... Ant |
|
|
|
10-04-2004, 12:14 AM
|
#3 |
|
Posts: n/a
|
Re: Yet another trojan?
Googling the first line or first two lines gets quite a few hits. For
example: http://www.dslreports.com/forum/rema...t=-1~mode=flat On Sun, 3 Oct 2004 12:48:48 -0400, Jim Watt wrote (in article <>): > I've seen a number of messages looking like this, they just get > deleted, but what exactly are they ? Is this another attempt > to execute code on MS Outluck? >[snipped] Mark3324 |
|
|
|
10-04-2004, 02:34 AM
|
#4 |
|
Posts: n/a
|
Re: Yet another trojan?
"Mark3324" wrote...
> Googling the first line or first two lines gets quite a few hits. For > example: http://www.dslreports.com/forum/rema...t=-1~mode=flat There's an example on that page of the "JScript.Encode" obfuscated scripting I mentioned. Ant |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Trojan zlob? Please help! | whackamole | General Help Related Topics | 4 | 10-16-2008 09:23 PM |
| eBay Users Targeted By Advanced Trojan | ufo | DVD Video | 2 | 03-07-2007 04:13 AM |
| Removing Trojan | Richard | A+ Certification | 1 | 01-04-2006 04:01 PM |
| Help with Trojan | Breedo | A+ Certification | 1 | 03-25-2005 05:05 AM |
| Re: Monitor problem after infection of a Trojan Horse! | Tom MacIntyre | A+ Certification | 0 | 07-19-2003 02:40 PM |
