Bugtraq mailing list archives
Re: Java script exploit
From: Andreas Beck <becka-list-bugtraq () bedatec de>
Date: Sun, 19 Feb 2006 19:00:44 +0100
gandalf () digital net wrote:
Greetings and Salutations: I just receieved this exploit,
It is none, as others already have mentioned. I suppose you got it from one of the various "you received a postcard" mailings going round. It is basically a trampoline that will lead to a series of webservers that have been compromised which will redirect to each other (typically 2 or 3 steps) using frames, iframes or similar javascripts (they use the same basic en-/decoder, as far as I have seen). The last step, however (which is probably what triggered a trap on your system) is a piece of HTML that is using 3 or 4 different exploits to try to download and execute a variant of Haxdoor. The first two are trying to use ActiveX together with .chm bugs (not sure, if I should count them as two), the next utilizes some JavaApplet called " SandBoxEscape.class", while the fourth tries to exploit http://www.securiteam.com/windowsntfocus/6B00L2KEKW.html The binary that should have been downloaded was identified by virusscan.jotti.org as being - Bitdefender BehavesLike:Trojan.WinlogonHook (probable variant), - NOD32 a variant of Win32/Haxdoor - VBA32 Trojan-Downloader.Agent.84 (probable variant). Note, that only three of about a dozen Scanners installed on jotti identify the malware, as it seems to be modified. I have given a short description of what I've seen there in the german newsgroup de.comp.security.virus with MID slrndv299i.sp1.becka-news-nospam-2006-02 () xeon mcs acs uni-duesseldorf de
Subject: You have received a postcard! Id: 7963
Ah. Good guess. Kind regards, Andreas Beck -- Andreas Beck http://www.bedatec.de/
Current thread:
- Java script exploit gandalf (Feb 17)
- Re: Java script exploit 3APA3A (Feb 18)
- Re: Java script exploit Jose Nazario (Feb 18)
- Re: Java script exploit Jose Nazario (Feb 18)
- Re: Java script exploit Andreas Beck (Feb 21)