On 2005-01-06, andrewsmith@[EMAIL PROTECTED]
<andrewsmith@[EMAIL PROTECTED]
> wrote:
> Assasination of President Bush
>
> Today two CNN re****ters ...
TROJAN LOADER in http://mendel.
home.
comcast .net
(HTML help exploit)
TROJAN in http://mitchell.
home.
comcast .net
(backdoor trojan, W32/Backdoor.LU)
=============================
Well, remember paddy.home.comcast.net and the spam for:
"Santa Claus as you have never seen him!"
This is precisely the same (except for the obfuscation
of the location of the trojan which is actually installed).
What we have here is:
15 lines of nothing much.
213 blank lines
an HTML help exploit.
(short version)
---------------
This exploit uses hhctrl.ocx to write out a file
"MicrosoftOffice.hta" to your startup group.
That runs when next you reboot the computer and
contains VBScript to get the file
http://mitchell.home.comcast.net/xp.exe
and save as "OfficeOSA.exe" in your startup group.
(18976 bytes in size)
On the next boot this runs.
F-prot flags it as the backdoor trojan W32/Backdoor.LU.
So if you have an 18976 byte file named OfficeOSA.exe
in your startup group, do NOT reboot until you move
it elsewhere so you can check it - or delete it.
The same goes for a file named MicrosoftOffice.hta
in your startup group.
(long version)
-------------
Posted to nanas (news.admin.net-abuse.sightings)
6 January 2005
Subject: [usenet] TROJAN (W32/Backdoor.LU): President Bush Assasinated
>From: spamless@[EMAIL PROTECTED]
