[Emerging-Sigs] favicon's as executables

RPG inittab at jtan.com
Wed Jan 14 16:53:45 EST 2009


We have seen a few instances of favicon.ico's coming down as executable 
files.     In all instances so far the server reports "404 Not Found" 
when the browser requests the favicon.ico file yet it serves this little 
binary instead

DST: HTTP/1.1 404 Not Found
DST: Content-Length: 17416
DST: Content-Type: application/x-msdownload
DST: Server: Microsoft-IIS/6.0
DST: X-Powered-By: ASP.NET
DST: Date: Wed, 14 Jan 2009 21:20:27 GMT
DST:
DST: 
MZ...................... at ...............................................!..L.!Th

$ file favicon.ico
favicon.ico: PE executable for MS Windows (DLL) (console) Intel 80386 32-bit

$ md5sum favicon.ico
74e81a65879ffe881a7af525a0254ad8  favicon.ico

Here's an example URL if you're curious:
http://wwwDOTnjcarbuyerDOTcom/favicon.ico
Donwload it safely and of course replace the DOT's.  :)

Virustotal comes up empty and so does threatexpert.com
http://www.virustotal.com/analisis/4257c88c85ff4c4ef4fb495e06c7661a
http://threatexpert.com/report.aspx?md5=74e81a65879ffe881a7af525a0254ad8

Can someone shed light on this little mystery?  TIA

RPG



More information about the Emerging-sigs mailing list