Full Disclosure mailing list archives
Re: Old Hack?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 04 Feb 2004 00:26:46 +1300
Steffen Kluge <kluge () fujitsu com au> replied to "axid3j1al":
Has anyone see this little code injection hack. Is this old?According to Trend AV, this is JS_PETCH.A, first discovered 6-Nov-2003.
And you _believe_ that?? That is a totally bogus name/detection. What Trend wants to tell you is that the code is an attempt to exploit the ADODB bug in IE, whereby you couls overwrite arbitrary local files. The first (?) PoC publicy posted contained code very like what was posted here, replacing WMP and then trying to launch something that would, on a default Windows install, cause the replaced WMP to be executed. To name a detection for a generic "attempt to exploit a vulnerability" as if it were a specific, individual entity (as suggested by the name you cite) is somewhere well south of utterly bogus... However, I agree it is an old exploit. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Old Hack? axid3j1al axid3j1al (Feb 02)
- Re: Old Hack? VeNoMouS (Feb 02)
- Re: Old Hack? Steffen Kluge (Feb 02)
- Re: Old Hack? Nick FitzGerald (Feb 03)
- Re: Old Hack? VeNoMouS (Feb 02)
- <Possible follow-ups>
- Old Hack? Feher Tamas (Feb 03)
- Re: Old Hack? Papp Geza (Feb 03)