From: toddtowles at brookshires.com (Todd Towles)
Subject: Spyware installs with no interaction in IE on fully patched XP SP2 box

Yep Themexp.org was my wallpaper stop for a while. But it was taken over
by new owners a whlie ago about and it is  turning south, into a
adware/spyware/pop-up site. Kinda sad, it was a very good site. 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Geraldo Rivera
> Sent: Monday, October 04, 2004 8:47 AM
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Spyware installs with no 
> interaction in IE on fully patched XP SP2 box
> 
> themexp.org
> 
> I should have logged all the files and reg entries I deleted, 
> but it was late at night and I wasn't really thinking about 
> that at the time. I just checked my IE history for some of 
> the things I googled and I found a bunch of them:
> 
> SahAgent.exe
> webrebates0.exe
> lu.dat
> preInsln.exe
> Systb.dll
> wupdater.exe
> eakrfu.exe
> wupdt.exe
> megasearch toolbar (www.megasearchbar.com) IEPlugin 
> localnrd.dll multimpp.dll
> 
> >From: "Joel R. Helgeson" <joel@...geson.com>
> >To: "Geraldo Rivera" 
> ><iamafraud@...mail.com>,<full-disclosure@...ts.netsys.com>
> >Subject: Re: [Full-Disclosure] Spyware installs with no 
> interaction in 
> >IE on fully patched XP SP2 box
> >Date: Sun, 3 Oct 2004 14:13:52 -0500
> >
> >What was the site?
> >
> >Joel R. Helgeson
> >Director of Networking & Security Services SymetriQ Corporation
> >
> >"Give a man fire, and he'll be warm for a day; set a man on 
> fire, and 
> >he'll be warm for the rest of his life."
> >----- Original Message ----- From: "Geraldo Rivera" 
> ><iamafraud@...mail.com>
> >To: <full-disclosure@...ts.netsys.com>
> >Sent: Sunday, October 03, 2004 1:16 PM
> >Subject: [Full-Disclosure] Spyware installs with no 
> interaction in IE 
> >on fully patched XP SP2 box
> >
> >
> >>Last night I went to a site that I have been to on and off 
> for years. 
> >>The page loaded and then in IE's status bar I saw something 
> suspicious:
> >>"installing components...atpartners.cab". I could not close 
> out of IE, 
> >>and I could not kill the iexplorer.exe process. It totally 
> locked up 
> >>and I had to reboot my machine. When my machine came back 
> up, I had at 
> >>least 6 different pieces of spyware/adware on my machine. 
> IT took me 
> >>almost 2 hrs to clean up. I manually deleted a bunch of 
> crap (stuff I 
> >>had found through the run key in the registry, suspicious processes 
> >>running, suspicious files in the usual dir's, and by 
> searching for all 
> >>files modified at the time this happened). Even after all that, 
> >>Ad-Aware found 143 entries (none were cookies, mostly 
> registry entries 
> >>and a few dll's) and then Spybot found an additional 2 
> registry entries.
> >>
> >>This machine is a fully patched XP SP2 box, with the 
> default security 
> >>settings for IE's Internet Zone. Does anybody know what method this 
> >>crap could be using to install without any user interaction?
> >>
> >>_________________________________________________________________
> >>Express yourself instantly with MSN Messenger! Download 
> today - it's FREE! 
> >>hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >>
> >>_______________________________________________
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today 
> - it's FREE! 
> hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Powered by blists - more mailing lists