lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 22 Jun 2004 00:01:22 -0700
From: Steve Ryan <sirsteve@...ernetcds.com>
To: bugtraq@...urityfocus.com
Cc: fedhead <fedhead@...ers.com>
Subject: Re: Unusual Activity in Ad-aware 6 Personal, Build 6.181


Hi,

Well, this is odd.  I did not find any of those files you mentioned.  I 
didn't find a cache folder either.  I updated Ad-Aware with the latest 
definitions and then initiated a scan.  It created a 'cache' folder 
where you mentioned, although I didn't open it.  I let it finish the 
scan and then the 'cache' folder disappeared.  I cleaned the 30 or so 
'tracking cookies' it found and it created a cache folder again.  I was 
going to open it, but then I closed out Ad-Aware not even thinking and 
the cache folder disappeared.

Then I opened Ad-aware, ran a scan.. it immediately created a 'cache' 
folder but upon inspection, it's empty.  I checked it multiple times 
during the Ad-aware scan, and it stayed empty.  This time upon 
completion, before I could close Ad-aware, the 'cache' folder disappared.

Nothing unusual that I could find anyway.

Windows XP + SP1a + All critical/XP updates..

HTH.

fedhead wrote:

> Sorry about my previous post, Norton picked up the html code an filtered my
> e-mail. Here is the original post without the html flags
> 
> Hello,

> 
> Seems benign enough. Every night when it runs, after the first scan of the
> registry, it creates four files in the C:\Program Files\Lavasoft\Ad-Aware
> 6\cache folder which Norton AV catches as trojan scripts:
> 
> exploit.chm
> installer.htm
> shellscript.js
> shellscript_loader.js
> 
> In installer.htm, it appears to use one of the IE IFRAME exploits to
> download the java script files.
> 

> 
> The most unusual part is that it happens at the end of the registry scan in
> Ad-aware. A google search doesn't turn up any relation between this exploit
> and Ad-aware so it could be something unique to my system but at this point
> I am at a loss as to what it could be.
> 
> 
> Any info would be appreciated.
> 
> Thanks,
> Matt
> 
> 
> 
> 
> 
> 
>

Powered by blists - more mailing lists