Jump to content
  • Create an account or sign in to get involved

    Create an account

    Ask questions, share experiences and connect.

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
Sign in to follow this  
Jason

new email worm - please read

Rate this topic

Recommended Posts

Please be on the safe side and read the below information about the latest email worm. This worm must really be making it's rounds quickly, because I've already received 2 of these emails. Please realize you DONT even have to download anything from the email to get the worm....that's what makes it so sneaky. When you open the email, it looks like an innocent letter with a link. The link is what triggers the worm. DO NOT CLICK IT!!!

The virus spreads by sending email messages to addresses found on the local system, as well as addresses constructed by the virus. The message appears as follows:

From:

Spoofed address (may be

exchange-robot@paypal.com when sending paypal message body below)

Subject:

[*]hi!

[*]hey!

[*]Confirmation

[*]blank

Body:

or

Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you! 

or

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos! 

The mail header may contain one of the following fields:

X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)

X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)

X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment to the message. The homepage or link hyperlink points to the infected system which sent the email message. Clicking on the link, accesses a web server running on the compromised system. The web server serves HTML that contains IFRAME buffer overflow code to automatically execute the virus

Infected systems will show Windows Explorer listening on TCP Port 1639, the port the web server runs on.

When a user follows a hyperlink sent by the virus, they are connected with the infected computer (http:// IP address of infected host that sent the email message :1639/index.htm). The webcam.htm page that is served results in a buffer overflow occuring in Internet Explorer. Shell code then executes, which instructs the local machine to download a remote file (http:// IP address :1639/reactor) and save it to a local file %desktop%\vv.dat and then execute the downloaded file.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
    • 3 Posts
    • 919 Views
    • 1 Posts
    • 128 Views
    • 3 Posts
    • 229 Views
    • 6 Posts
    • 360 Views
    • 4 Posts
    • 144 Views

×

Become a Member - It's FREE!

Plan your Cruise. Share experiences. Connect with Cruisers.


Join CruiseCrazies Today - FREE!