Help Needed - New Exploit? Trojan auto-downloaded with latest IE, Norton doesn't recog.

  • Thread starter Thread starter Getter
  • Start date Start date
G

Getter

Earlier tonight, I received the following e-mail (edited IP)

---
Hello,

I have received several SPAM emails promoting your services.
Customer service does not seem to care about my complaints,
I hope you take immediate action against this abusive user.

I've put up a copy of the email with complete headers here:
http://64.252.XXX.XXX/abuse.html

Regards,
Alex
---

The web page in question shows a spam e-mail, but then Norton popped
up two windows; one with an embedded script warning, two with
notification that Trojan.Progent had been found on my machine (in the
Temporary Internet Files folders).

After shutting down, I moved the hard drive over to another machine
and did some checking. There's a .hta file in the Temp. Int. Files
directories that Norton does not recognize, but is clearly a trojan.
It's a VBS that downloads a file "systemf.exe" from an FTP site (the
same one the trojan was hosted on). I found systemf.exe on my
machine, confirming that the script did run.

My MSIE is 6.0.2800.1106 _with_ 822925, the most recent security
patch. Norton does not recognize the .hta file or the downloaded
executable.

As you might imagine, I have no idea how much damage has been done (if
any), or, more importantly, how my machine was hit with this. I could
really use some quick advice. Please follow-up to the group, as I
have no mail right now.
 
Getter said:
Earlier tonight, I received the following e-mail (edited IP)

---
Hello,

I have received several SPAM emails promoting your services.
Customer service does not seem to care about my complaints,
I hope you take immediate action against this abusive user.

I've put up a copy of the email with complete headers here:
http://64.252.XXX.XXX/abuse.html

Regards,
Alex
---
Click to expand...

I've seen an increase in the use of this type of thing recently.

Basically you access a webpage and IE will try to download a .hta file
(or if you aren't patched it will download and run the .hta file). This
will then either create a new file on the fly and/or download more files
from the net.

MS03-032 (822925) should patch this vulnerability and not allow the
files to run automatically. It will however cause a "File open/save"
window to appear. There has been an advisory from Microsoft about more
similar issues to the ones patched in MS03-032 that they're
investigating, but apparently (perhaps) they aren't being actively used.

Try sending a copy of the files with a brief description to
(e-mail address removed).
 
My system did have that latest IE patch, yet still auto-ran the script which
downloaded the virus/trojan/worm/whatever.

Sent the virus to Symantec/McAfee/Trend Micro, hopefully it'll get a good
once-over and I can find out what damage it caused.

Even following best available security practices, my machine was hit hard
with this thing. Nothing to do now but wait until morning and see if it's
big or not.
 
Earlier tonight, I received the following e-mail (edited IP)

---
Hello,

I have received several SPAM emails promoting your services.
Customer service does not seem to care about my complaints,
I hope you take immediate action against this abusive user.

I've put up a copy of the email with complete headers here:
http://64.252.XXX.XXX/abuse.html

Regards,
Alex
---

The web page in question shows a spam e-mail, but then Norton popped
up two windows; one with an embedded script warning, two with
notification that Trojan.Progent had been found on my machine (in the
Temporary Internet Files folders).

After shutting down, I moved the hard drive over to another machine
and did some checking. There's a .hta file in the Temp. Int. Files
directories that Norton does not recognize, but is clearly a trojan.
It's a VBS that downloads a file "systemf.exe" from an FTP site (the
same one the trojan was hosted on). I found systemf.exe on my
machine, confirming that the script did run.

My MSIE is 6.0.2800.1106 _with_ 822925, the most recent security
patch. Norton does not recognize the .hta file or the downloaded
executable.

As you might imagine, I have no idea how much damage has been done (if
any), or, more importantly, how my machine was hit with this. I could
really use some quick advice. Please follow-up to the group, as I
have no mail right now.
Click to expand...


http://securityresponse.symantec.com/avcenter/venc/data/trojan.progent.html
should get you started at least

Could we have the entire correct URL please? This is Usenet not AOL.


Carol
 
Roy said:
That link is perfectly correct, complete, and should work with any
browser.

Did you try it before posting?
Click to expand...

With all of those X's, why would anyone expect it to work?

....and no, it doesn't.
 
Michael Cecil said:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.progent.html
works fine for me. You talking about another URL?
Click to expand...

Yes, the one mzlindyone was requesting that the OP could post since
this is usenet not AOL

http://64.252.xxx.xxx/abuse.html

The one that you just posted is the one that mzlindyone provided.

Roy didn't see the irony in his asking if mzlindyone tried the url
he or she provided in the self same post. I wanted to point out
what I thought mzlindyone must have been referring to.
 
Roy said:
Thank you, that's the one *I* was talking about too.

At least two of us round here are still sane.....
Click to expand...

Err...but *that* was the one that mzlinyone posted, why would
mzlindyone complain about that one being unuseable?

....well...I guess sanity is a relative term...
 
Err...but *that* was the one that mzlinyone posted, why would
mzlindyone complain about that one being unuseable?
Click to expand...

Quite so.

I hereby promise to take the time in the future to be sure my posts
require no deductive reasoning at all. Ghod forbid anyone should have
to *think*.

Carol
 
Back
Top