funsec mailing list archives

Re: Britney Spears helps spread malware

From: Axel Pettinger <api () worldonline de>
Date: Thu, 12 Apr 2007 01:15:33 +0200

It seems that a new variant of that malware is out there. The detection
rate is as usual quite low at the moment. The "exact" identifications
are probably misdetections ...

Subject (of the mail I've received): Hot pictures of paris hilton nude 
From: Nude jennajameson.com

The mail loads a picture of Jenna Jameson, not Paris Hilton - and not
really nude.

In connection with the code which is loaded (from one of at least five
web sites) after clicking on the image McAfee reports an
"Exploit-MS06-006.gen trojan"[1].

VirusTotal results:

Antivirus          Version         Update       Result
AhnLab-V3          2007.4.12.0     04.11.2007   no virus found
AntiVir            7.3.1.50        04.11.2007   TR/Agent.36864
Authentium         4.93.8          04.11.2007   no virus found
Avast              4.7.936.0       04.11.2007   Win32:Small-ESE
AVG                7.5.0.447       04.11.2007   no virus found
BitDefender        7.2             04.12.2007   no virus found
CAT-QuickHeal      9.00            04.11.2007   (Suspicious) - DNAScan
ClamAV             devel-20070312  04.11.2007   no virus found
DrWeb              4.33            04.11.2007   no virus found
eSafe              7.0.15.0        04.11.2007   no virus found
eTrust-Vet         30.7.3560       04.11.2007   no virus found
Ewido              4.0             04.10.2007   no virus found
FileAdvisor        1               04.12.2007   no virus found
Fortinet           2.85.0.0        04.11.2007   suspicious
F-Prot             4.3.1.45        04.11.2007   no virus found
F-Secure           6.70.13030.0    04.11.2007   no virus found
Ikarus             T3.1.1.5        04.11.2007   no virus found
Kaspersky          4.0.2.24        04.11.2007   no virus found
McAfee             5006            04.11.2007   no virus found
Microsoft          1.2405          04.11.2007   no virus found
NOD32v2            2182            04.11.2007   no virus found
Norman             5.80.02         04.11.2007   no virus found
Panda              9.0.0.4         04.11.2007   no virus found
Prevx1             V2              04.12.2007   no virus found
Sophos             4.16.0          04.11.2007   no virus found
Sunbelt            2.2.907.0       04.07.2007   no virus found
Symantec           10              04.11.2007   no virus found
TheHacker          6.1.6.088       04.09.2007   no virus found
VBA32              3.11.3          04.10.2007   no virus found
VirusBuster        4.3.7:9         04.11.2007   no virus found
Webwasher-Gateway  6.0.1           04.11.2007   Trojan.Agent.36864

Aditional Information
File size: 36864 bytes
MD5: 83e05625144d3912892e9b2a462b9c7d
SHA1: 1defc467ffbd61ec4b586e358c3db189c0a856f3

Regards,
Axel Pettinger

[1] http://www.microsoft.com/technet/security/bulletin/MS06-006.mspx


-------- Original Message --------
Subject: RE: [funsec] Britney Spears helps spread malware
Date: Tue, 3 Apr 2007 10:54:02 -0700
From: "Hubbard, Dan" <dhubbard () websense com>
To: "Larry Seltzer" <Larry () larryseltzer com>,
<rms () computerbytesman com>,"FunSec [List]" <funsec () linuxbox org>
References:
<005301c7760f$c7107500$55315f00$@com><0273B67044957C41BD71D12EBA2E00AE0FD36A@becca.LarrySeltzer.local>

Yup, all URL's end in indeXXX.htm(l)

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Larry Seltzer
Sent: Tuesday, April 03, 2007 10:11 AM
To: rms () computerbytesman com; FunSec [List]
Subject: RE: [funsec] Britney Spears helps spread malware

It's the ANI: 

Tuesday, April 03, 2007 11:48 AM/EST
ANI Exploit Tries the 'Hot Pictures of Britiney Speers' Shtick Spam
promising "Hot Pictures of Britiney Speers [sic]" is linking to sites
hosting the Windows ANI exploit, Websense discovered today. The e-mail,
coming from "Nude BritineySpeers.com," is written in HTML... 
http://securitywatch.eweek.com/browsers/ani_exploit_tries_the_hot_pictur
es_of_britiney_speers_shtick.html

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Britney Spears helps spread malware rms (Apr 03)
- RE: Britney Spears helps spread malware Larry Seltzer (Apr 03)
  - Re: Britney Spears helps spread malware Brian Loe (Apr 03)
    - Re: Britney Spears helps spread malware Valdis . Kletnieks (Apr 03)
    - Re: Britney Spears helps spread malware Brian Loe (Apr 03)
    - Re: Britney Spears helps spread malware Nick FitzGerald (Apr 03)
    - Re: Britney Spears helps spread malware crazy frog crazy frog (Apr 04)
  - RE: Britney Spears helps spread malware Hubbard, Dan (Apr 03)
    - RE: Britney Spears helps spread malware Larry Seltzer (Apr 03)
    - Re: Britney Spears helps spread malware Axel Pettinger (Apr 11)
    - RE: Britney Spears helps spread malware Alex Eckelberry (Apr 11)