| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mandreko at ori.net (Matt Andreko) Subject: Spyware installs with no interaction in IE on fully patched XP SP2 box I was unable to verify it, since I don't use IE, and would prefer not infecting myself on accident, however I did run across this: http://themexp.org/about_wrap.php Perhaps one of the themes you downloaded was bundled with the spyware? Geraldo Rivera wrote: > themexp.org > > I should have logged all the files and reg entries I deleted, but it was > late at night and I wasn't really thinking about that at the time. I > just checked my IE history for some of the things I googled and I found > a bunch of them: > > SahAgent.exe > webrebates0.exe > lu.dat > preInsln.exe > Systb.dll > wupdater.exe > eakrfu.exe > wupdt.exe > megasearch toolbar (www.megasearchbar.com) > IEPlugin > localnrd.dll > multimpp.dll > >> From: "Joel R. Helgeson" <joel@...geson.com> >> To: "Geraldo Rivera" >> <iamafraud@...mail.com>,<full-disclosure@...ts.netsys.com> >> Subject: Re: [Full-Disclosure] Spyware installs with no interaction in >> IE on fully patched XP SP2 box >> Date: Sun, 3 Oct 2004 14:13:52 -0500 >> >> What was the site? >> >> Joel R. Helgeson >> Director of Networking & Security Services >> SymetriQ Corporation >> >> "Give a man fire, and he'll be warm for a day; set a man on fire, and >> he'll be warm for the rest of his life." >> ----- Original Message ----- From: "Geraldo Rivera" >> <iamafraud@...mail.com> >> To: <full-disclosure@...ts.netsys.com> >> Sent: Sunday, October 03, 2004 1:16 PM >> Subject: [Full-Disclosure] Spyware installs with no interaction in IE >> on fully patched XP SP2 box >> >> >>> Last night I went to a site that I have been to on and off for years. >>> The page loaded and then in IE's status bar I saw something >>> suspicious: "installing components...atpartners.cab". I could not >>> close out of IE, and I could not kill the iexplorer.exe process. It >>> totally locked up and I had to reboot my machine. When my machine >>> came back up, I had at least 6 different pieces of spyware/adware on >>> my machine. IT took me almost 2 hrs to clean up. I manually deleted a >>> bunch of crap (stuff I had found through the run key in the registry, >>> suspicious processes running, suspicious files in the usual dir's, >>> and by searching for all files modified at the time this happened). >>> Even after all that, Ad-Aware found 143 entries (none were cookies, >>> mostly registry entries and a few dll's) and then Spybot found an >>> additional 2 registry entries. >>> >>> This machine is a fully patched XP SP2 box, with the default security >>> settings for IE's Internet Zone. Does anybody know what method this >>> crap could be using to install without any user interaction? >>> >>> _________________________________________________________________ >>> Express yourself instantly with MSN Messenger! Download today - it's >>> FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.netsys.com/full-disclosure-charter.html >> >> > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today - it's > FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041004/058cd140/signature.bin
Powered by blists - more mailing lists