"Aleksandar Milivojevic" <alex@xxxxxxxxxxxxxxx> wrote: > I don't know if this is something new, or something old. Well, part of it is old and part of it quite new... > Yeasterday I received couple of emails (apperently from people I know). > Emails were text/html, and contained only this text: > > http://drs.yahoo.com/milivojevic.org/NEWS > > Text was acutally linked to: > > http://drs.yahoo.com/milivojevic.org/NEWS/*http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/#http://drs.yahoo.com/milivojevic.org/NEWS This is the self-mailing part of Wallon.A -- a new mass-mailer that distributes itself simply by sending Emails with links to itself to everyone in the victim's (Outlook) address book (not fully analysed yet...). BTW -- the "milivojevic.org" part of that bogo-URL is customized to each recipient, based on their Email address. > Downloading the above link using wget, drs.yahoo.com redirects to: > > http://www.security-warning.biz/personal6/maljo24/www.YAHOO.com/ Yes -- URLs like that (and some other, related forms) have been not uncommopnly used by spammers for quite some time now (in general it seems these Yahoo redirector pages parse off everything to the left of and the including the asterisk and redirect to the remainder). > This page contains some JavaScript (after couple of empty screens) that > seems to open off-screen window (or at least it looks like that to me) ... It's a porn page and the link includes an affiliate reference so the perp may get paid for each recipient of the "viral" Email that cllicks on the link in the Email... > ... and > loads terra.html from the same site. Downloading terra.html using wget, > there's some more JavaScript (again after several empty screens) and some > obfuscating code inside that I haven't analyzed in depth. There is a simple a decode routine that de-obfuscates an iframe tag directed to a Compiled Help file (.CHM) which, by exploiting the MHTML URL Processing vulnerability in (unpatched copies of) IE, silently d/ls the .CHM, opening it in the local computer zone where some scripting inside the .CHM then exploits the ADODB.Stream vulnerability in (unpatched copies of) IE to overwrite and execute Media Player with a .EXE file retrieved from the same site as the .CHM. I've not analysed that .EXE yet and information from various AV developers about it is somewhat contradictory -- it is probably the component that mass-mails the target URL from the new victim's machine and may download and install a porn-dialer (there are also conflicting claims as to whether the .EXE sets itself up to run on startup and some claim it also Emails the list of its mail addresses its mailing routine compiles to 1@xxxxxxxxxxxxxxx). Different descriptions have somewhat different filenames, suggestng that the pages served from the target URLs may have changed "overnight" and slightly different variants (or even radically components) may have been available at different times. > Anybody seen this before? Is this some kind of virus, worm, spyware, or > simply a spam? Looking at received headers of emails, it doesn't look > like spam. When I contacted the people who were listed as senders, they > said they never sent it (but that they suspect they might be infected by > some virus). Seen before -- yes and no. "Self-spamming mass-mailers", where all that is mailed is a link to a location for the mass-mailer (or at least to another component in a chain that ultimately closes a replication loop) are not new. Use of the MHTML and .CHM tricks are not, neither is use of ADODB.Stream exploits new, nor is the joint use of those two exploits. Address harvesting by a mass-mailer is not new either. All that leaves is the specifics of this implementation and the actual .EXE file(s) that are d/l'ed from the target site and even some of these appear to be already-known dialers (though many "virus scanners" will not detect them). > I'll be contacting Yahoo about this (obviously, whatever they have at > drs.yahoo.com isn't designed with security in mind), however I'm > interested if anybody else saw/got this, and if he/she knows what it is. I doubt you'll get much assistance from Yahoo -- as far as it is concerned, those pages are working as designed. You'd probably do more help by complaining to http://www.security- warning.biz/ about their "personal6" and/or "maljo24" user _AND_ CC'ing that to their upstream provider's abuse address (and the DHS and/or your pet FBI "cyber-crime" contact if you have one). > Thanks for any info/pointers You're welcome. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
