Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: 0x01 trojan update ( host), openssl proof of concept exploit, HP mystery ssh patch SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
0x01 trojan update ( host), openssl proof of concept exploit, HP mystery ssh patch trojan (was:

A user submitted a fake e-mail, which is using the %01 MSIE bug to trick the
user into downloading a Trojan.

The virus spreading this email is smart enough to tailor the 'From' address
to match the users domain. So for example, if your email address is '', the from address will read:'s Virus Department.
The fake URL will show up as '' followed by the 0x01 character and a randomized URL.

Likely in an effort to dwarf attempts to capture the trojan and shut down the
site, the site uses multiple redirects and will only deliver the trojan if the
user is using Microsoft Internet Explorer. In order to accomplish this, java script and cgi scripting is used.

The trojan is only delivered once to a given IP address. The final URL used
to download the trojan is http:/ / at this point, but it has been changing.

The ISP hosting this site,, was notified via e-mail to abuse, and
replied that the virus has been removed. However, even after this reply was
received, the trojan was still accessible via this URL.

A phone call to the customer service department of was answered. The representative was not able to respond to the case and was not able to provide a phone contact for the abuse department.

Later today (early afternoon EST), the host was shut down. Another user reported
to us, that a very similar URL was used at back in December 2003:

Back then, the e-mail claimed to include a "Gift Card from Sears".
OpenSSL POC exploit

Exploit code for the older ASN.1 vulnerability in OpenSSL has been posted to
various mailing lists. Please double check that your openssl installs are
current. Remember, some software may not use the dynamic library. Such
software has to be recompiled to link it against the new version.

HP Mystery SSH patch

HP released a patch for ssh on Tru64 Unix. The patch does not state what vulnerability it fixes.

Johannes Ullrich, SANS Inst., jullrich at sans.orgI will be teaching next: Defending Web Applications Security Essentials - SANS London August 2021


4189 Posts
ISC Handler
Jan 17th 2004

Sign Up for Free or Log In to start participating in the conversation!