Suspicious Emails inderectly leading to virus infection



According to The August 4th entry of the isc.sans.org handlers diary, there are some peculiar emails going around. They claim to be for an article claiming an explosion kills 140 in Iraq. It contains a link to a news article that has been altered from it’s original (140 instead of 14 for instance.) It also contains some nasty surprises for the visitor. There is an exploit that requires no user intervention, A cross-site scripting vulnerability (MS05-001) is exploited which runs ppp.hta from your hard drive, which creates a file called netlog.exe, which is launched by Media Player (??), which then retrieves a copy of win32sba.exe, which is the robobot backdoor.

Once the backdoor is on the system, of course, the system is “owned”. The email contains many mispellings apparently. It’s good to be suspicious of any unexpected emails you receive and be hesitant about clicking on links in emails from unusual sources.

   Send article as PDF   

Similar Posts