Bugtraq mailing list archives
Re: AIM Password theft
From: "http-equiv () excite com" <1 () malware com>
Date: Wed, 24 Sep 2003 18:44:47 -0000
<!-- Out of curiosity I followed that link which loaded start.html (attached). --> Caution: off-site archives will and have already stored this as: text/plain attachment: start.txt Tested on neohapsis [http://archives.neohapsis.com/archives/bugtraq/2003-09/0375.html] Due to the 'never-addressed-mime-issue' of Internet Explorer reading even dog poo as html, opening start.txt will effect the exploit partialy. Namely: C:\Program Files\Windows Media Player\wmplayer.exe will be overwritten by simply viewing the attached text file. It is apparent the original intended payload .exe is no longer at the location, but the wmplayer.exe is still overwritten with a 1KB wmplayer.exe containing the following: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /eg/1.exe was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.26 Server at onway.net Port 80</ADDRESS> </BODY></HTML> -- http://www.malware.com
Current thread:
- Re: AIM Password theft Brent Meshier (Sep 24)
- Re: AIM Password theft jelmer (Sep 24)
- Re: AIM Password theft Eric Joe (Sep 24)
- RE: AIM Password theft Drew Copley (Sep 24)
- <Possible follow-ups>
- Re: AIM Password theft http-equiv () excite com (Sep 24)