Re: UPDATE: Re: REFRESH: EUDORA MAIL 5.1.1

[full-disclosure () lists netsys com (http-equiv () excite com)]

Nick FitzGerald <nick () virus-l demon co uk> said:

> Jeff Kell <jeff-kell () utc edu> replied to http-equiv () malware com:
>
> [I thought I replied to "http-equiv"'s message earlier, but on 
> checking I sent it direct, not to the lists...]
>
> > > Just tested something here. Typically IE can or will open files
> > > depending what the contents are regardless of the extension 
that it
> > > is: <html> tag in a gif or some other file type should or can be
> > > rendered by IE for what the contents are, not the extension.
> >
> > The Windows run function (IE viewer) ignores the extension (sort 
of) if
> > the file is in a portable OLE-type format.  For example, go in 
Word and
> > create "foo.doc".  Exit and rename "foo.doc" to "foo.fubar".  
Double
> > click "foo.fubar" and Word opens up.  Same for Excel and other 
things.
> > If the extension is known, it appears to try and use it.  If not, 
it
> > will look for OLE-extensions and launch what matches.
>
> It's the other way around -- if a file's extension is not registered
> on the system trying to "run" (or "open") the file, depending on 
how 
> it is being "opened", some further checks than just "what is 
> registered to handle this extension" are made.  One of those checks 
> determines whether the file is apparently internally an OLE2 file, 
> and if so the application registered to handle the CLSID of the 
root 
> directory entry in the OLE2 file is directed to open the file.  If 
> that CLSID is also not registered then the usual "Open With..." 
> dialog appears.  Another file type tested for in this process is 
the 
> DOS ("MZ") EXE format, which can be run "as normal", depending on 
the 
> "open" method used, depsite having been renamed to a non-EXE 
> extension.
>
> Thus, "http-equiv"'s discovery that a non-extensioned EXE could be 
> launched through one of these code execution holes is not all that
> surprising...

For clarity's sake, in this particular instance it was only the meta 
refresh that was non-extensioned.

In the embedded folder we had / have:

malware.exe
malware [the mhtml file -- no extension]

<META http-equiv=refresh content="1; 
&#13;&#10;url=file://C:\WINDOWS\Application 
Data\Qualcomm\Eudora\Embedded\malware">

The refresh tag is pointing to malware -- what it does is skip over 
the non-extensioned mhtml file, and instead, open malware.exe 
directly.

-- 
http://www.malware.com