Full Disclosure mailing list archives

Re: Old Hack?

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 04 Feb 2004 00:26:46 +1300

Steffen Kluge <kluge () fujitsu com au> replied to "axid3j1al":

Has anyone see this little code injection hack.

Is this old?


According to Trend AV, this is JS_PETCH.A, first discovered 6-Nov-2003.


And you _believe_ that??

That is a totally bogus name/detection.

What Trend wants to tell you is that the code is an attempt to exploit 
the ADODB bug in IE, whereby you couls overwrite arbitrary local files. 
The first (?) PoC publicy posted contained code very like what was 
posted here, replacing WMP and then trying to launch something that 
would, on a default Windows install, cause the replaced WMP to be 
executed.

To name a detection for a generic "attempt to exploit a vulnerability" 
as if it were a specific, individual entity (as suggested by the name 
you cite) is somewhere well south of utterly bogus...

However, I agree it is an old exploit.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Old Hack? axid3j1al axid3j1al (Feb 02)
- Re: Old Hack? VeNoMouS (Feb 02)
- Re: Old Hack? Steffen Kluge (Feb 02)
  - Re: Old Hack? Nick FitzGerald (Feb 03)
- Re: Old Hack? VeNoMouS (Feb 02)
- <Possible follow-ups>
- Old Hack? Feher Tamas (Feb 03)
  - Re: Old Hack? Papp Geza (Feb 03)