<<< Date Index >>>     <<< Thread Index >>>

worm "postcard" e-mail issue




Be advised there is a new worm spreading. It says you have received a postcard with a link to click to see the postcard, however, the URL first goes to some dsl customer in canada who has been comprised and some sort of javascript is run on the local machine... nut sure what it does....

Can anyone confirm what systems may be vulnerable to this attack?

Initial suspicious code which performs a redirect:

#telnet 68.146.201.132 8180

Trying 68.146.201.132...
Connected to S010600c09f51432d.cg.shawcable.net.
Escape character is '^]'.
GET /090/

HTTP/1.0 200

<-------html><head><s----cript language="javascript">
var k,r,c,n,u=9 ;var h=document.links;function L(x){if(h[x].text)return h[x].text;var z,s=h[x].hash;if(s && s!="#"){if(s.substring(0,1)=="#")return s.substring(1,200);return s;}s=h[x].href;if(s){if(location.href.indexOf(s)==0)return "../";if(!x)return "../";z=s.lastIndexOf("#");if(z>=0)return s.substring(z+1,200);z=s.lastIndexOf("/");if(z>=0){if(z>=(s.length-1))z=s.lastIndexOf("/",z-1);if(z>=0)return s.substring(z+1,200);}return s;}return h[x].pathname;}function M(a,b){var x,y;x=L(a*3+k+6);y=L(b*3+k+6);if(k==1 || k==4){x*=2;y*=2;}if(x>y)return r;if(x<y)return -r;return 0;};function A(x,y){var z=x+3;return "<b><a href='javascript:O("+x+");'>"+y+" /&#92; </a> - <a href='javascript:O("+z+");'>&#92;/</a></b></td>";};function S(){return "cript>";}function F(x,y){return "<td><a href='" + L(y) + ((y==x)?"":"#" + L(x)) + "'>" + L(x) + "</a></td>";};function O(z){var i,j,w,o;r=1;k=z;if(k>=3){r=-1;k-=3;}c=(document.links.length-u)/3; u=6;n=new Array(c);for(i=0;i<c;++i)n[i]=i;n.sort(M);o="<scr"+"ipt language=javascript>var k,r,c,n,u=6; var h=document.links;"+L.toString()+M.toString()+A.toString()+F.toString()+O.toString()+S.toString()+"\n</s";o+=S() + "<table border=0 width=100% bgcolor=#f0f0ff><tr bgcolor=#aaaaff><td width=50%>"+A(0,"Name")+"<td width=15%>"+A(1,"Size")+"<td>"+A(2,"Date")+"</tr>";for(i=0;i<c;++i){j=n[i]*3+6;o+="<tr>" + F(j,j) + F(j+1,j) + F(j+2,j) + "</tr>";};w=document;o+="</table><hr>";w.open();w.write(o);w.close();o="";delete n;} </script></head><body><table border=0 width=100% bgcolor=#f0f0ff><tr bgcolor=#aaaaff><td width=50%><b><a href="javascript:O(0);">Name /\</a> - <a href="javascript:O(3);">\/</a></b></td><td><b><a href="javascript:O(1);">Size /\</a> - <a href="javascript:O(4);">\/</a></b></td><td><b><a href="javascript:O(2);">Date /\</a> - <a href="javascript:O(5);">\/</a></b></td></tr></table><hr><br><center><table width=500 height=60 border=1 cellspacing=0 cellpadding=1><tr vallign=top cellpadding=0 cellspacing=0><td height=4 bgcolor=#8030e0> <table width=494 height=8 border=0 cellspacing=0 cellpadding=1><tr cellpadding=1 cellspacing=0><td bgcolor=#5030a0 width=60 height=4><font size=0 color=#ffffff class=f3>Unregistred</font></td><td bgcolor=#6030b0 width=60 height=4><font size=0 color=#ffffff class=f3>copy</font></td><td bgcolor=#7030c0 width=60 height=4 align=right><font size=0 color=#ffffff class=f3>of <b>Small</b></font></td><td bgcolor=#8030d0 height=4><font size=0 color=#ffffff class=f3><b>HTTP server</b></font></td><td bgcolor=#9030e0 width=60 height=4><font size=0 class=f3>&nbsp;</font></td><td bgcolor=#a030f0 width=60 height=4><font size=0 class=f3>&nbsp;</font></td><td bgcolor=#b030ff width=60 height=4><font size=0 class=f3>&nbsp;</font></td><td bgcolor=#c0c0c0 width=12 height=4><a href=http://srv.mf.inc.ru/news.htm><font size=0 color=#00c0f0 class=f3><b>/\\</b></font></a></td>àòü ðåêëàìó</font></b></a></td></tr></table></center><br>Connection closed by foreign host.