lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7FD2F95D5721174389F954C1BDC86739815188@altair.stcservices.com>
Date: Tue, 6 Apr 2004 13:07:57 -0400
From: BugtraQ <bugtraqFolder@...services.com>
To: bugtraq@...urityfocus.com
Subject: RE: Netsky.R, auto execute w/ IE6 ?


Thanks Jim, and all who replied.  Updating MS Office w/ latest patches
solved the problem.  It appears it was the iframe issue you mentioned.

Here is the message source for those who asked:
-----------------------------------------------------------------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>

<META content="MSHTML 5.00.2920.0" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff><br>Mail Delivery - This mail couldn't be
displayed<br><br>------------- failed message
-------------<br>?2a$dmd-ekH-U?3C)7>JA!p|jxvM>g;öOigLW*8hiE<br>G1!K&o*(yßKAL
#s7sMJwAmS2105NtW3%efpG7?$V)4(vf#><br>jHtC8HWc4VfUgtU2l55aWMD.PJK7.YD8bä:)pa
cn|$qhz<br>Vü8sßZmQV4goigoLHcu$w%1hxo|ACKw0B8&ßOvüma,ö<br>V&;N>1:G<br><br>Me
ssage has been sent as a binary attachment.<br>

Or you can view the message at:<br><br>
<a href=cid:121401Mfdab4$3f3dL780$75387018@...81fa70Re height=0
width=0>www.targetdomain.com/inmail/webmaster/mread.php?sessionid-20302</a>
<iframe
src=cid:121401Mfdab4$3f3dL780$75387018@...81fa70Re height=0
width=0></iframe> 
<DIV>&nbsp;</DIV></BODY></HTML>
------------------------------------------------------------------

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora@...a.com]
Sent: Friday, April 02, 2004 2:30 PM
To: 'BugtraQ'; bugtraq@...urityfocus.com
Subject: RE: Netsky.R, auto execute w/ IE6 ?


> I have received several emails (W2K, Outlook 2000) 
> that appear to be Netsky.Q or Netsky.R.  When 
> opened these emails launch the attachment automatically.

> Just to be sure, I did a windows update for all the 
> latest security patches. Even after this, Outlook 
> still opens the attached file on viewing the email.

The MIME vulnerability should not affect you given the configuration you
said you have. 

Netsky-Q also uses an iframe to try to autolaunch, though - that is probably
what you are seeing. Your security settings in Outlook are probably not set
to protect against iframe launches. Make sure your mail client is running in
the Restricted Sites security zone (Tools>Options>Security>Zone Settings),
and that the "Launching Programs and Files in an Iframe" right is set to
"disabled" within that zone.

Netsky.Q uses the following methods to try to execute the hostile
attachment:

***** The social engineering setup:

<BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br>
follow the link to read the delivered message.<br><br>
Received message is available at:<br>

A clickable link looks like it points at hotjobs but actually points to
embedded executable:

<a href=3Dcid:031401Mfdab4$3f3dL780$73387018@...81fa70Re height=3D0
width=3D0>www.hotjobs.com/inbox/serviceupdate/read.php?sessionid-4524</a>

**** An I-Frame tries to auto-execute the embedded executable:
Prevent this by running the mail client within the  Restricted Sites
security zone, and by ensuring "Launching Programs and Files in an Iframe"
is disabled within that zone.

<iframe
src=3Dcid:031401Mfdab4$3f3dL780$73387018@...81fa70Re height=3D0
width=3D0></iframe> 
<DIV>&nbsp;</DIV></BODY></HTML>


**** And finally the MIME type vulnerability tries to auto-execute the
embedded executable. This exploit should be stopped by IE 6 or by MS01-020.
Your computer probably does not try to execute from this.

------=_NextPart_001_001C_01C0CA80.6B015D10--

------=_NextPart_000_001B_01C0CA80.6B015D10
Content-Type: audio/x-wav;
	name="message.scr"
Content-Transfer-Encoding: base64
Content-ID:<031401Mfdab4$3f3dL780$73387018@...81fa70Re>






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ