Re: Remote ICQ Sound Desactivation

["Adam [wp-ckkl]" <ckkl () poczta wp pl>]

> >  It's possible to disable someone's ICQ sounds using this HTML code :
> > <IFRAME src="blank.scm"></iframe>

Some time ago I have discovered the same thing about .scm files.
I have even written a little proggie
[http://www.sztolnia.pl/hack/neihoicq/prep.pas]
that may be useful for people who want to test this little 'feature'
prepared for users by IE and ICQ joined together.
Generally, it is possible to save any file on a victim's
hard disk using this 'exploit'. I tried my best to improve the idea
and to use the mentioned 'feature' to become a little bit more nasty,
but unfortunately couldn't force .wav file to do anything but
opening winamp zillions of times :)
here's my full explaination [commented now and updated] that
I was about to put on a home page
right after I discovered it [and still had a hope that I will be
that one who will finally destroy the world :>]:
----------
Sorry for my bad lingo, but it's late here :)

neihoicq - marriage of ICQ and IE makes it possible to read (comment:
sorry dude, didn't work this time :|) local files (btw. neiho means: hello
in cantonese =o)  - this is just a word or two for my little, cute la femme
Chinoise :)

Synopsis
There're ICQ files with .scm extension (.scm states for ICQ
Sound Scheme). If used in malicious way, they let others save
(comment: should be read local, if worked out :) files into ICQ
user's machine into a specific directory

Description
When you want a new Sound Scheme, you may go f.ex.
to ICQ home page and download one there. Apart from it,
you may also save your own Sound Scheme directly from ICQ
(click Main, click Preferences, click Alerts and Notifications,
click Sounds) and later share it with others.

Every .scm file is made of .wav sounds and they're written in
a very unique way. So unique that one may guess the structure
of the .scm file in a second just by taking a look inside. They are
made of a simple header [really trivial structure - read prep.pas
for details] and later, just raw .wav files inside, written one by one.

The problem with .scm files is that they may be freely opened in
IE [tested with 6.0]. There won't be any dialog box asking if you
want to open or save a file. IE will open the file, download it and
then push it forward to ICQ [must run].
ICQ will check the content of .scm file and will eventually save
all the extracted .wav files into a directory. This directory is known
and is usually easy to predict. ICQ stores files into

"C:\Program Files\ICQ\Sounds\xyz\"

where "xyz" is a name of the given .scm file (when loaded locally)
or the name with index, starting with [1] f.ex.:

"C:\Program Files\ICQ\Sounds\neihoicq[1]\"

By creating "enhanced" Sound Scheme we may write any file
we want to that mentioned directory. However things are not
that easy, because there's one problem. These files are saved
always with the names that are given by ICQ not by us. (ICQ
creators tried to avoid some malicious usage probably). Anyway,
 it is still possible to save any file we want there and we still know
the full path and the filename.
There's a list of .wav file names that ICQ uses internally to play sounds.
I won't list them here, but if you are curious, you know where to search
for them already :) [I write auth.wav only]

Files that may be helpful:
- prep.pas - A little tool written in Pascal that helps creating your own
.scm file
http://www.sztolnia.pl/hack/neihoicq/prep.pas
- neihoicq.scm - my dummy scm file
http://www.sztolnia.pl/hack/neihoicq/neihoicq.scm

Credits
Menashe Eliezer from Finjan Software for his support

Adam Blaszczyk
[02-05-23] [en/pl] Home page/Domowa http://www.mykakee.com
[02-06-06] [pl] Pirotechnika http://pyro.pieklo.org
[02-04-27] [pl] Sztolnia, FAQ p.c.p. http://www.sztolnia.pl