Security Incidents mailing list archives
RE: AIM-based worm?
From: "x x" <km1x () hotmail com>
Date: Fri, 27 Sep 2002 14:14:46 +0000
I dunno about the buddy list thing, but the inability to view the source in IE isn't surprising. Note that the HTML below contains a META refresh that redirects you to the .com file. Once this fires, the browser discards the HTML file containing the redirect and reqeusts the .com file. When you cancel the download dialog and try to view source, there's nothing to see because the browser has no document loaded. If you turn off Meta refresh before hitting the page, you'd see the HTML page below, and could view the source.
-K
A coworker of mine (Tim) recently found a buddy on his buddy list who he didn't know (JDogg786). When Tim sent a message to him/her, he got a response back "Hmmmm.. http://24.74.206.239:8180/";When he clicked on the link, it took him to a page which redirected to a download of a file ending in .com, which he promptly alerted me to and did not run it.I tried to go to this link, it tried to download the file. I hit cancel, then I tried to view the source of the page. From the View menu, or right clicking on the page, and clicking View Source, nothing happened.I eventually got the source using wget, which is shown below.Question 1: Is there a way a web page can add a buddy to your AIM list without your knowledge?Question 2: How was I prevented from viewing the source of the HTML page in IE?I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well for anyone who wants to look at it, just in case the above link does not work any more.-- BEGIN SOURCE --<html><head><title>Browser Plugin Requried</title><meta http-equiv="refresh" content="1; url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><bod y><h1>Browser Plugin Required:</h1><br>You may need to restart your browser for changes to take affect.<br>Security Certificate by <a href="http://www.verisign.com";>Verisign</a> 2002.<br>MD5: 9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose "Run" to install.</body></html>-- END SOURCE --
_________________________________________________________________ Chat with friends online, try MSN Messenger: http://messenger.msn.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- AIM-based worm? Troy Ablan (Sep 26)
- Re: AIM-based worm? De Velopment (Sep 27)
- Re: AIM-based worm? Troy Ablan (Sep 27)
- Re: AIM-based worm? Midkaemia (Sep 29)
- Re: AIM-based worm? Troy Ablan (Sep 27)
- Re: AIM-based worm? Adam Young (Sep 27)
- <Possible follow-ups>
- RE: AIM-based worm? webbi (Sep 27)
- RE: AIM-based worm? Ralph Emery (Sep 27)
- RE: AIM-based worm? MH Michael Hammer (5304) (Sep 27)
- RE: AIM-based worm? x x (Sep 27)
- Re: AIM-based worm? skipper (Sep 28)
- RE: AIM-based worm? Ron Yount (Sep 27)
- Re: AIM-based worm? De Velopment (Sep 27)