I also saw the message this morning. The author appears to have mined
e-mail addresses from the HP3000-L newsgroup.
If you have Outlook installed, the preview mode is designed to "OPEN" up
the mail, link to the program and run it so as part of the preview.
This is why so many of the virus authors have been targeting Outlook,
nice and convienent feature - big security hole.
Microsoft has released a patch for Outlook that provides protection
againtst viruses by requiring the user to "OK" the connection to the
programs and "OK" accesses to the address book. The downside to this
is that users with Palm Pilots, Windows CE devices will now have more
manual steps to take when synchronizing e-mail and schedules.
http://www.wired.com/news/technology/0,1282,36353,00.html
http://www.zdnet.com/eweek/stories/general/0,11011,2569930,00.html
http://www.zdnet.com/eweek/stories/general/0,11011,2572700,00.html
http://www.infoworld.com/articles/hn/xml/00/05/22/000522hnoutlook.xml
http://www.infoworld.com/articles/hn/xml/00/05/19/000519hnoutlookissues.xml
Jim McCoy wrote:
>
> Thanks Mark,
>
> I hope I didn't unnecessarily waste your time today.
> I was curious about the message and did some poking around to see what it
> did
> to my system. When I looked in to what types of files were accessed and saw
> they
> were all related to mail and internet access I thought it best to alert
> people quickly.
> Especially when I saw that it went through my HP-3000L folder.
>
> I'm not as rattled as I was when the first alert went out.
>
> I don't want to get emails from hundreds of people asking if their IP
> Address was involved. But if anyone knows how to look up the owner of an IP
> Address (like a whois
> on a URL) I will do that and contact those individuals just in case.
>
> I am reasonably sure that there was no actual transfer of data though.
>
> Jim Mc Coy
>
> ----- Original Message -----
> From: Mark Bixby <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Monday, May 22, 2000 3:11 PM
> Subject: Re: OT: Suspected hacker attack - Can anyone advise?
>
> > You can safely view the message as I received it at:
> >
> > http://www.bixby.org/mark/howareyou.txt
> >
> > The first thing to notice is the javascript code beginning with
> "<script>".
> > This creates a new window of 1 pixel in size that executes the specified
> CGI.
> > There should be no reason to do a 1 pixel window unless you have something
> to
> > hide. Because I unfortunately had Javascript enabled for my Netscape
> > Communicator 4.73 e-mail, this did open a new window for me, but it was
> bigger
> > than one pixel. I didn't see any content in that window, so I immediately
> > closed it. I have just disabled Javascript for e-mail.
> >
> > When I view that javascript CGI URL directly from a browser, it does a
> redirect
> > to some music-oriented web page. If I view source on it, I don't see
> anything
> > blatantly evil.
> >
> > If I manually view the other URLs in the bottom of the message, they all
> do
> > similar redirects to pages in Chinese. Again, by doing View Source on
> them, I
> > don't see anything blatantly evil.
> >
> > Now it's quite possible that these redirecting CGIs can detect if you're
> > running Outlook and then do something evil. So I'm not willing to forward
> this
> > message over to my Outlook mailbox. ;-)
> >
> > If I try to view any of these URLs with MSIE5, it goes into an auto-update
> mode
> > trying to download additional browser components. At this point, I do
> > Ctrl-Alt-Del and then "End task" to prevent any further action. It's
> possible
> > this is to deal with Chinese character sets, but I'm not willing to find
> out.
> >
> > - Mark B.
> >
|
