[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] A new phishing fraud
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] A new phishing fraud
- From: Shawn Austin <austinsr@xxxxxxxxx>
- Date: Wed, 18 May 2005 20:39:50 -0500
Mcafee catches VBS/Soraci when the page is loading.
Writeup of virus from http://vil.nai.com/vil/content/v_101049.htm
*Virus Characteristics:
<javascript:legendwindow('/vil/legend.htm#Charactieristics');>*
This is a file infecting VBScript virus that infects files with
extension HTT, HTM, and HTML. When run, the virus will create or modify
the following registry keys to change the Internet Explorer start page:
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start
Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Default_Page_URL" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Local Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
* HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
"Start Page" = http://www./(address neutered)/
.com/hedda_marie_tolentino/index.htm
The virus creates the following files:
* %SysDir%\icarOs.dll (2,824 bytes)
* %SysDir%\icarOs2.dll (3,748 bytes)
* %SysDir%\scanregw.vbe (3,718 bytes)
/(Where %SysDir% is the Windows System directory on the system, for
example c:\WINDOWS\SYSTEM.) /
A registry entry is also created to run the virus on Windows startup:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "ScanRegistry " = %SysDir%\scanregw.vbe
This virus has a malicious payload to restart Windows continuously if
the date is September 26.
m0fo wrote:
probably, there is a new phishing fraud.
I received a mail saying:
"Please note that this is a system generated email. Please do not
reply to this email. If you have questions, please click the following
link or paste it in your browser.
http://pages.ebay.com/help/basics/select-support.html
eBay Confirmation Center
Dear customer,
During our regular update and verification of the accounts
we couldn't verify your current information. Either your information
has changed or it is incomplete. If the account information is not
updated to current information within 5 days then, your access to bid
or buy on eBay will be suspended.
To Update Account, please click the link below
click here
Copyright 1995-2005 eBay Inc. All Rights Reserved.
Designated trademarks and brands are the property of their respective
owners.
eBay and the eBay logo are trademarks of eBay Inc."
while im clicking its taking me to
http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav
<http://www.pearland.co.id/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav>=
there its asking for user and pass.
Take Care,
Ido.
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/