[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1076888009.18518.12.camel@Stargate>
From: nodialtone at comcast.net (Byron Copeland)
Subject: Re:
http://federalpolice.com:article872@...5686747
Running mozilla 1.6. Nothing showed up here as your assuming.
On Sun, 2004-02-15 at 17:40, Erik van Straten wrote:
> Hi Nicola,
>
> It's not a zip file, not an applet, but a plain EXE file. Seems
> compressed somehow, no time to figure it out now. Dunno why Mozilla
> runs this (I don't like it).
>
> If something showed up in your status bar, you should definitely assume
> your box was compromised.
>
> Take care out there,
> Erik
>
> On Sun, 15 Feb 2004 20:20:11 +0100 Nicola Fankhauser wrote:
> > hi jedi
> >
> > On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:
> > > This is equivalent to http://64.29.173.91/
> >
> > ok, and the html of the index page is as following:
> >
> > <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
> > <h2>SERVER ERROR 550</h2>
> > <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></applet></body></html>
> >
> > now, the "SERVER ERROR 550" is clearly a fake - the java applet below
> > just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
> > yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
> > happily start the applet without any hickups or exceptions and mozilla
> > states 'Applet BlackBox started' in the status bar.
> >
> > is there anybody knowledgable interested in un-zipping, de-compiling and
> > analysing this surely malicious applet? I would like to know what
> > mozilla just executed on my behalf there... :(
> >
> > FYI, the file 'javautil.zip' attached is directly taken from the site
> > mentioned above.
> >
> > regards
> > nicola
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists