Full Disclosure mailing list archives
Re: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 8 Oct 2004 01:22:50 -0500
Didn't mean to have you apologize, it did it's job. It showed That I was not vulnerable. I just found it interesting that my AV called it something that could not be found through search.
No worries Randall. =) I really should of warned about the possible AV warnings, as some might not understand what;s actually going on. (I've gotten a few emails like "Ha! My antivirus stopped your ploy to infect me".) =P I can't explain it much better then I have. I figured that most people on this list would understand what was REALLY happening, but I should plan for as many scenarios as possible. This includes those that wouldn't understand what the virus warnings mean. Thanks for your clarification though Randall. Appreciate it. ;) -- Peace. ~G On Thu, 7 Oct 2004 06:02:02 -0500, RandallM <randallm () fidmail com> wrote:
GuidoZ Didn't mean to have you apologize, it did it's job. It showed That I was not vulnerable. I just found it interesting that my AV called it something that could not be found through search. thank you Randall M <|>-----Original Message----- <|>From: GuidoZ [mailto:uberguidoz () gmail com] <|>Sent: Thursday, October 07, 2004 1:16 AM <|>To: RandallM <|>Cc: full-disclosure () lists netsys com <|>Subject: Re: [Full-Disclosure] RE: Full-disclosure digest, <|>Vol 1 #1955 - 19 msgs <|> <|>It might be detected as Trojan.Moo or any other variant of <|>the JPEG exploit. As I said, it attempts to exploit the <|>system to see if it's vulnerable, using an "infected" JPG. <|>The file I provided is simply a SFX with a batch file and <|>the "infecte" JPG (named exploit.bak). No attempt has been <|>made at all to mask what's inside. <|> <|>I figured those that would want to use it would either not <|>worry about the virus warnings, or not get them at all and <|>REALLY need the fix it helps provide. =) Email me at the <|>address provided in my original email (exploit _AT_ guidoz <|>_DOT_ com) and I'll provide a link to the batch files and <|>such so you may modify them as you wish. <|> <|>Sorry for any confusion with the AV. I should of warned <|>about that in the original email. (Others have written me <|>asking the same question.) I only provided it to possibly <|>help others who have lots of friends asking them for help to <|>patch their systems. This simply sees if they are <|>vulnerable, then leads them through the steps to patch the <|>system if they are. (You may have to tell them to ignore AV <|>warnings, or disable the AV scanner. Again, I urge you to <|>test this on a NON-PRODUCTION machine first. See what it <|>contains, read the batch files, see what it downloads, etc.) <|> <|>Please feel free to ask me any questions. Hope it helps someone else. <|> <|>-- <|>Peace. ~G <|> <|> <|>On Wed, 6 Oct 2004 20:59:28 -0500, RandallM <|><randallm () fidmail com> wrote: <|>> <|>> <|>--__--__-- <|>> <|> <|>> <|>Message: 14 <|>> <|>Date: Wed, 6 Oct 2004 15:53:32 -0700 <|>> <|>From: GuidoZ <uberguidoz () gmail com> <|>> <|>Reply-To: GuidoZ <uberguidoz () gmail com> <|>> <|>To: full-disclosure () lists netsys com <|>> <|>Subject: [Full-disclosure] Quick JPEG/GDI test & fix <|>(timesaver) <|>> <|> <|>Hello list, <|> <|>I wrote a very simple program/batch file <|>> that tests for the JPEG <|>exploit, then if affected, provides <|>> instructions on how to patch the <|>exploit. It has been <|>tested on my <|>> own lil happy lab network, as well <|>as one one network <|>where I'm a <|>> sysadmin. (Tested on Windows XP Home <|>and Pro, SP1a and <|>SP2.) <|> <|>> <|>It DOES test for the exploit by attempting to use an <|>"infected" JPG <|>> <|>which downloads the instructions for fixing it, if <|>exploited. By <|>> <|>viewing the strings in the JPG, you can see the file it <|>downloads <|>> and <|>check it out for yourself. It's clean. =) Just <|>contains a batch <|>> file <|>and a program to launch the batch file. (The file <|>that gets <|>> <|>downloaded <|>is a simple SFX.) Links are below. It contains a <|>> warning saying it's <|>about to try to exploit the system <|>and to save <|>> data in open programs. <|>> <|>(It also warns that Explorer may crash.) <|> <|>I wrote <|>this merely <|>> to save myself time and allow friends/family to <|>test their own <|>> systems, then patch them without having to call me for <|><|>help. It's <|>> not been tested in every environment and in every <|>scenario. <|>> <|>If you find a problem, feel free to email me (exploit <|>_AT_ guidoz <|>> <|>_DOT_ com) Obviously I'm not responsible if it's abused <|><|>somehow, <|>> or if <|>it breaks something, etc. Feel free to modify it <|>to suit your <|>> own <|>needs, but use it at your own risk. <|>> <|> <|>> <|>Test can be downloaded from here: <|>> <|>http://www.guidoz.com/exploit-test.exe <|>> <|> <|>> <|>Again, it's just an SFX archive with a batch file. Hopefully it <|>> will <|>save someone else some time. I've used it to have <|>> friends/family (and <|>a few clients) patch a total of <|>around 30 machines without problems. <|>> <|> <|>> <|>-- <|>> <|>Peace. ~G <|>> <|> <|>> <|> <|>> <|>--__--__-- <|>> <|> <|>> <|>End of Full-Disclosure Digest <|>> <|> <|>> <|>> Well, guess I'm safe. McAfee saw it as <|>"Exploit-MntRedir.gen" and said...NO! <|>> I googled it and it found nothing though. Thought it would atleast <|>> lead me to McAfee. McAfee search said: <|>> <|>> "We found no records matching the following criteria: <|>> Virus name containing "MntRedir.gen". <|>> Please try narrowing your search by using fewer characters". <|>> <|>> What gives? <|>> <|>> thank you <|>> Randall M <|>> <|>> _______________________________________________ <|>> Full-Disclosure - We believe in it. <|>> Charter: http://lists.netsys.com/full-disclosure-charter.html <|>> <|>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs RandallM (Oct 06)
- Re: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs list (Oct 06)
- Re: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs GuidoZ (Oct 06)
- RE: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs RandallM (Oct 07)
- Message not available
- Re: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs GuidoZ (Oct 07)