[prev in list] [next in list] [prev in thread] [next in thread]
List: inet-access
Subject: RE: Trojan
From: Ron Snyder <snyder () roguewave ! com>
Date: 2003-10-03 19:43:18
[Download RAW message or body]
> Does anyone know of what this might be? Both machines
> hijacked in a big
> way, and both used our SMTP server to spew tons of mail at
> aol.com, which
> kind of freaks me out since it could get us listed somewhere for spam.
http://vil.nai.com/vil/content/v_100719.htm
This seems like a possible explanation. The advisory doesn't mention sending
emails, but it does mention that there are several different variants (that
perform different tasks).
>From the advisory:
This trojan is responsible for recent reports of strange DNS changes on
systems as recently reported on NTBUGTRAQ. The operations of the trojan are
as follows:
1. A user is directed to a web site that contains Exploit-ObjectData
code. NOTE: The MS03-032 patch does not protect against this attack vector.
This allows for the automatic execution of VBScript contained in an HTML
file (x.hta)
2. This VBScript drops the file AOLFIX.EXE in the %TEMP% directory
3. This dropped AOLFIX.EXE is run, which may perform different tasks
(several variants are known to exist)
4. The VBScript creates the file O.BAT, which cleans up after the trojan
by deleting the dropped AOLFIX.EXE file and the O.BAT file
-ron
_______________________________________________
"Eat sushi frequently". - Avi
inet@inet-access.net is the human contact address.
list@inet-access.net is the list posting address.
See below URL for subscribe/unsubscribe and list options:
http://inet-access.net/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic