[Brought to you by Lorna Hutcheson and Tom Liston]
We received several reports of an email circulating with links to a news article that came with a surprise if you followed the links. DO NOT GO TO THE FOLLOWING LINKS or any others from this site that may be sent to you!!!
http://www.jsnvowe.vbnnews.comd
http://www.iepwls.vbnnews.comd
http://www.jxdg.vbnnews.comd
http://www.nevkbq.vbnnews.comd
** NOTE: I have added the “d” at the end of the URL, because dang GS editor will not let me remove the link…I did not want folks to click on it and get infected with a worm. In other words, the URLS without the “d” are legit hacker sites.**
** (Kaleem)**
Each of the emails seem to have different links in them but associated with the same site.
The subject of the email is “Iraq Bombinng - 140 marines killed” or something similar to it. Yes the misspellings are from the actual email and there are many other discrepancies and misspellings in the version that we have seen. We received several reports but only one person sent the actual email to look at. The misspellings alone are a big indicator that something is not right. If you follow the links you get taken to a news article that has obviously been modified and pieced together. For example says 140 Marines were killed, however, the actual news article found by googling for it has 14 as the number killed. (Not in any way making light of the the numbers or the loss, just pointing out the discrepancy).
Once you click on the link, you get their news article, but you also set off a series of events that require no interaction from the user.
First off, there is an exploit on the page that takes advantage of MS05-001 (Vulnerability in HTML Help Could Allow Code Execution) which is just another cross-domain scripting vulnerability. This allows you to get a file called ppp.hta from their website and is then launched on your local harddrive. This then creates a file called netlog.exe and and this appears to be launched on your local hard drive by using a combination of an ActiveX FileSystemObject and shell. Netlog.exe then goes and gets another file called win32sba.exe, which is Robobot variant. Now your system can be used for what ever malicious intent the folks who set this scheme up had in mind.
The moral of this story is…Don’t follow the link!!!