[<prev] [next>] [<thread-prev] [month] [year] [list]
From: alla at scanit.be (Alla Bezroutchko)
Subject: Spyware installs with no interaction in IE
on fully patched XP SP2 box
Carr, Robert wrote:
> Interesting...
>
> I just went there, and he's right. Atpartners.cab installed without
> permission. My McAfee picked it right up as Atpartners.dll, downloaded
> to Temp Internet files. Spyware detected as NetPals. On the other hand,
> I'm admin of my machine, I wonder if a "user" would get an error message
> about not having the correct rights...
I have tested it on Windows XP SP2 and on fully patched Windows 2000. In
both cases _nothing_ gets run or installed. Both systems are more or
less standard installations without any special IE hardening (except
patches).
When I surf to the site with Windows XP "Installing components...
ATpartners.cab" briefly appears in the status bar and then the site gets
displayed. Under the normal browser bars there is a message saying "The
site might require the following ActiveX control: FREE on-line games and
special offers from... Click here to install...". I don't click on it.
Searching the disk for atpartnets.cab or atpartners.dll finds nothing.
The CLSID of the ActiveX control only appears in the registry in
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\".
With Windows 2000 I also get "Installing components... ATpartners.cab"
in the status bar and then the dialog box asking if I want to install
"Free online games from ATgames.com". This is a usual dialog box you get
when a page attempts to install an ActiveX control. If I click "No",
nothing gets installed, no atpartners files on the file system, no
traces of the CLSID in the registry.
I suppose the cab file gets downloaded so that Windows can read and
display the signature of the file. It does not get run or installed
unless explicitly permitted by user.
So, as far as I can see this is no 0-day.
Alla.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux