gandalf@xxxxxxxxxxx wrote: > Greetings and Salutations: > I just receieved this exploit, It is none, as others already have mentioned. I suppose you got it from one of the various "you received a postcard" mailings going round. It is basically a trampoline that will lead to a series of webservers that have been compromised which will redirect to each other (typically 2 or 3 steps) using frames, iframes or similar javascripts (they use the same basic en-/decoder, as far as I have seen). The last step, however (which is probably what triggered a trap on your system) is a piece of HTML that is using 3 or 4 different exploits to try to download and execute a variant of Haxdoor. The first two are trying to use ActiveX together with .chm bugs (not sure, if I should count them as two), the next utilizes some JavaApplet called " SandBoxEscape.class", while the fourth tries to exploit http://www.securiteam.com/windowsntfocus/6B00L2KEKW.html The binary that should have been downloaded was identified by virusscan.jotti.org as being - Bitdefender BehavesLike:Trojan.WinlogonHook (probable variant), - NOD32 a variant of Win32/Haxdoor - VBA32 Trojan-Downloader.Agent.84 (probable variant). Note, that only three of about a dozen Scanners installed on jotti identify the malware, as it seems to be modified. I have given a short description of what I've seen there in the german newsgroup de.comp.security.virus with MID slrndv299i.sp1.becka-news-nospam-2006-02@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx > Subject: You have received a postcard! Id: 7963 Ah. Good guess. Kind regards, Andreas Beck -- Andreas Beck http://www.bedatec.de/
