worm "postcard" e-mail issue
Date: Thu, 19 May 2005 12:38:21 -0500
To: [email protected]
From: "M. Perri" <icc-mysql@icorp.net.>
Subject: worm "postcard" e-mail issue
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: antivirus-gw at tyumen.ru
Be advised there is a new worm spreading. It says you have received a=20
postcard with a link to click to see the postcard, however, the URL first=20
goes to some dsl customer in canada who has been comprised and some sort of=
=20
javascript is run on the local machine... nut sure what it does....
Can anyone confirm what systems may be vulnerable to this attack?
Initial suspicious code which performs a redirect:
#telnet 68.146.201.132 8180
Trying 68.146.201.132...
Connected to S010600c09f51432d.cg.shawcable.net.
Escape character is '^]'.
GET /090/
HTTP/1.0 200
<-------html><head><s----cript language=3D"javascript">
var k,r,c,n,u=3D9 ;var h=3Ddocument.links;function L(x){if(h[x].text)return=
=20
h[x].text;var z,s=3Dh[x].hash;if(s &&=
s!=3D"#"){if(s.substring(0,1)=3D=3D"#")return=20
s.substring(1,200);return=20
s;}s=3Dh[x].href;if(s){if(location.href.indexOf(s)=3D=3D0)return=20
"../";if(!x)return "../";z=3Ds.lastIndexOf("#");if(z>=3D0)return=20
s.substring(z+1,200);z=3Ds.lastIndexOf("/");if(z>=3D0){if(z>=3D(s.length-1))=
z=3Ds.lastIndexOf("/",z-1);if(z>=3D0)return=20
s.substring(z+1,200);}return s;}return h[x].pathname;}function M(a,b){var=20
x,y;x=3DL(a*3+k+6);y=3DL(b*3+k+6);if(k=3D=3D1 ||=
k=3D=3D4){x*=3D2;y*=3D2;}if(x>y)return=20
r;if(x<y)return -r;return 0;};function A(x,y){var z=3Dx+3;return "<b><a=20
href=3D'javascript:O("+x+");'>"+y+" /\ </a> - <a=20
href=3D'javascript:O("+z+");'>\/</a></b></td>";};function S(){return=20
"cript>";}function F(x,y){return "<td><a href=3D'" + L(y) + ((y=3D=3Dx)?"":"=
#" +=20
L(x)) + "'>" + L(x) + "</a></td>";};function O(z){var=20
i,j,w,o;r=3D1;k=3Dz;if(k>=3D3){r=3D-1;k-=3D3;}c=3D(document.links.length-u)/=
3;=20
u=3D6;n=3Dnew Array(c);for(i=3D0;i<c;++i)n[i]=3Di;n.sort(M);o=3D"<scr"+"ipt=
=20
language=3Djavascript>var k,r,c,n,u=3D6; var=20
h=3Ddocument.links;"+L.toString()+M.toString()+A.toString()+F.toString()+O.t=
oString()+S.toString()+"\n</s";o+=3DS()=20
+ "<table border=3D0 width=3D100% bgcolor=3D#f0f0ff><tr bgcolor=3D#aaaaff><t=
d=20
width=3D50%>"+A(0,"Name")+"<td=20
width=3D15%>"+A(1,"Size")+"<td>"+A(2,"Date")+"</tr>";for(i=3D0;i<c;++i){j=3D=
n[i]*3+6;o+=3D"<tr>"=20
+ F(j,j) + F(j+1,j) + F(j+2,j) +=20
"</tr>";};w=3Ddocument;o+=3D"</table><hr>";w.open();w.write(o);w.close();o=
=3D"";delete=20
n;}
</script></head><body><table border=3D0 width=3D100% bgcolor=3D#f0f0ff><tr=
=20
bgcolor=3D#aaaaff><td width=3D50%><b><a href=3D"javascript:O(0);">Name=
/\</a> -=20
<a href=3D"javascript:O(3);">\/</a></b></td><td><b><a=20
href=3D"javascript:O(1);">Size /\</a> - <a=20
href=3D"javascript:O(4);">\/</a></b></td><td><b><a=20
href=3D"javascript:O(2);">Date /\</a> - <a=20
href=3D"javascript:O(5);">\/</a></b></td></tr></table><hr><br><center><table=
=20
width=3D500 height=3D60 border=3D1 cellspacing=3D0 cellpadding=3D1><tr=
vallign=3Dtop=20
cellpadding=3D0 cellspacing=3D0><td height=3D4 bgcolor=3D#8030e0> <table=
width=3D494=20
height=3D8 border=3D0 cellspacing=3D0 cellpadding=3D1><tr cellpadding=3D1=20
cellspacing=3D0><td bgcolor=3D#5030a0 width=3D60 height=3D4><font size=3D0=
=20
color=3D#ffffff class=3Df3>Unregistred</font></td><td bgcolor=3D#6030b0=
width=3D60=20
height=3D4><font size=3D0 color=3D#ffffff class=3Df3>copy</font></td><td=20
bgcolor=3D#7030c0 width=3D60 height=3D4 align=3Dright><font size=3D0=
color=3D#ffffff=20
class=3Df3>of <b>Small</b></font></td><td bgcolor=3D#8030d0 height=3D4><font=
=20
size=3D0 color=3D#ffffff class=3Df3><b>HTTP server</b></font></td><td=20
bgcolor=3D#9030e0 width=3D60 height=3D4><font size=3D0=20
class=3Df3> </font></td><td bgcolor=3D#a030f0 width=3D60 height=3D4><fo=
nt=20
size=3D0 class=3Df3> </font></td><td bgcolor=3D#b030ff width=3D60=20
height=3D4><font size=3D0 class=3Df3> </font></td><td bgcolor=3D#c0c0c0=
=20
width=3D12 height=3D4><a href=3Dhttp://srv.mf.inc.ru/news.htm>;<font size=3D0=
=20
color=3D#00c0f0 class=3Df3><b>/\\</b></font></a></td>=E0=F2=FC=20
=F0=E5=EA=EB=E0=EC=F3</font></b></a></td></tr></table></center><br>Connectio=
n closed by=20
foreign host.
