The *.cab file contains a file 'potd.dll', googling for it gives this
link http://and.doxdesk.com/parasite/Cytron.html.

Overthere it's considered a 'parasite'

According to the link, it appears to be some module that will install
into your IE and pop-up ads based on web pages being visited by the
'infected party'.

The E-Card people are, of course, lying that it will -need- this module
installed for the E-card to work.

$) Henri

> -----Original Message-----
> From: Jonathan A. Zdziarski [mailto:jonathannetworkdweebs.com]
> Sent: Saturday, September 28, 2002 11:25 AM
> To: incidentssecurityfocus.com
> Cc: abusethawte.com; server-certsthawte.com; abuseyahoo.com
> Subject: E-Card Remote Code Execution Scam
>
>
> This seems an aweful lot to me like a Remote Code Execution Scam...
>
> I received an email addressed to "Undisclosed Recipients" notifying me
> that I received an E-Card today, so I went to the site
> http://www.surprisecards.net/viewcard.htm?id_num=[Undisclosed]
> &card=Pick
> +up to view the card. Oddly, I received a security warning
> asking me if
> I wanted to allow some code to run on my machine. Noticing the odd
> choice of form variables as opposed to other e-card sites (not to
> mention the fact that I could type in any number and get the same
> screen), and with an eyebrow now raised I went to the main website
> http://www.surprisecards.net to find "Welcome to the future home of
> richardoliver.web.aplus.net". So I figure, if there's no way
> to send a
> card from this website then chances are nobody sent me a valid card.
>
> I took a look at the Thawte certificate for the card viewer "code" and
> got www.cytron.com, some no-name development website with nothing more
> than a phone number.
>
> At the moment I'm not in front of any sacrificial machine to test the
> card out on, but I suspect this email is being mailed out as a scam in
> an attempt to run arbitrary code on the user's machine using a valid
> Thawte certificate. What the code does when it loads I've no idea as
> I'm not dumb enough to try it on my home machine.
>
> In summary, my suspicion that this is the case is based on the
> following:
>
> 1. The email was from egreetingsyahoo.com, yet was not redirecting me
> to a yahoo site. (It was in fact coming from a yahoo mail server
> though).
>
> 2. The email was NOT from surprisecard.net
>
> 3. The email was addressed to undisclosed recipients
>
> 4. There is no medium for sending cards from this site
>
> 5. www.cytron.com has no credible information about any card reader
> product or even the company.
>
> Perhaps someone in front of some extra hardware can take this and roll
> with it.
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]