Full Disclosure mailing list archives
Re: new internet explorer exploit (was new worm)
From: Jelmer <jkuperus () planet nl>
Date: Tue, 30 Mar 2004 13:00:29 +0200
And even that small measure of warning is trivially defeated if I change the url in my exploit.htm from ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm to ms-its:mhtml:file://C:\foo.mht!${PATH}/EXPLOIT.CHM::/exploit.htm It gives no warning whatsoever, proofing once again that you shouldn't solely rely on virus scanners, though others might do a better job, I can't imagine anyone doing it worse ----- Original Message ----- From: "Void" <void () sect net> To: "Jelmer" <jkuperus () planet nl>; <full-disclosure () lists netsys com>; <bugtraq () securityfocus com> Sent: Monday, March 29, 2004 9:15 PM Subject: Re: new internet explorer exploit (was new worm)
Just wanted to add that Norton Anti-Virus 2004 will detect this exploit
and
pop up a warning, but also fails to halt its execution or protect the user in any way. Here is what it thinks it is:
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html
So there is some measure of warning, but no real protection. At 04:35 PM 3/29/2004 +0200, Jelmer wrote:The code used by this worm to exploit it's users at least partly is (i think) new , the vulnerability it abused has afaik not been published on eighter bugtraq or full-disclosure. possibly making it (one of?) the
first
worm to totally catch people offguard. It allows a mallicious person to take any action on an unsuspecting user
who
view's a specially prepared page's pc The known ingredient it uses is : http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.html that has gone unpatched for over 5 months now The remainder of the exploit manages to confuse this same adodb.stream object enough to make it think it's being run from a local location You can protect yourself against it by running http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg I attached sample code myself to illustrate the problem, because http-equiv's was messy :) This one should be more straightforward to use Instructions : 1. unzip 2. overwrite exploit.exe with the executable you wish to run, or leave it untoched if you want to see some nice texturemapped rotation 3. upload the files to a webserver 4. view exploit.htm Tested on winxp pro all patches for the lazy ones among you can also view a demonstration here : http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Addressing Cisco Security Issues, (continued)
- RE: Addressing Cisco Security Issues Lou Zirko (Mar 29)
- Re: Addressing Cisco Security Issues neal rauhauser (Mar 29)
- AW: new internet explorer exploit (was new worm) Ron Stiemer (Mar 29)
- Message not available
- Re: new internet explorer exploit (was new worm) Nick FitzGerald (Mar 30)
- RE: new internet explorer exploit (was new worm) Drew Copley (Mar 29)
- Re: new internet explorer exploit (was new worm) Berend-Jan Wever (Mar 29)
- Re: RE: new internet explorer exploit (was new worm) Valdis . Kletnieks (Mar 29)
- RE: [inbox] Re: RE: new internet explorer exploit (was new worm) Exibar (Mar 29)
- RE: new internet explorer exploit (was new worm) Thor Larholm (Mar 29)
- Re: RE: new internet explorer exploit (was new worm) Tim (Mar 29)
- Re: new internet explorer exploit (was new worm) Jelmer (Mar 30)
- Re: new internet explorer exploit (was new worm) - - (Mar 30)
- RE: new internet explorer exploit (was new worm) Drew Copley (Mar 30)