[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b7bc1b1f0410072322307ae99b@mail.gmail.com>
From: uberguidoz at gmail.com (GuidoZ)
Subject: RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
> Didn't mean to have you apologize, it did it's job. It showed
> That I was not vulnerable. I just found it interesting that my
> AV called it something that could not be found through search.
No worries Randall. =) I really should of warned about the possible AV
warnings, as some might not understand what;s actually going on. (I've
gotten a few emails like "Ha! My antivirus stopped your ploy to infect
me".) =P I can't explain it much better then I have.
I figured that most people on this list would understand what was
REALLY happening, but I should plan for as many scenarios as possible.
This includes those that wouldn't understand what the virus warnings
mean. Thanks for your clarification though Randall. Appreciate it. ;)
--
Peace. ~G
On Thu, 7 Oct 2004 06:02:02 -0500, RandallM <randallm@...mail.com> wrote:
> GuidoZ
> Didn't mean to have you apologize, it did it's job. It showed
> That I was not vulnerable. I just found it interesting that my
> AV called it something that could not be found through search.
>
> thank you
> Randall M
>
> <|>-----Original Message-----
> <|>From: GuidoZ [mailto:uberguidoz@...il.com]
> <|>Sent: Thursday, October 07, 2004 1:16 AM
> <|>To: RandallM
> <|>Cc: full-disclosure@...ts.netsys.com
> <|>Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest,
> <|>Vol 1 #1955 - 19 msgs
> <|>
> <|>It might be detected as Trojan.Moo or any other variant of
>
>
> <|>the JPEG exploit. As I said, it attempts to exploit the
> <|>system to see if it's vulnerable, using an "infected" JPG.
> <|>The file I provided is simply a SFX with a batch file and
> <|>the "infecte" JPG (named exploit.bak). No attempt has been
> <|>made at all to mask what's inside.
> <|>
> <|>I figured those that would want to use it would either not
> <|>worry about the virus warnings, or not get them at all and
> <|>REALLY need the fix it helps provide. =) Email me at the
> <|>address provided in my original email (exploit _AT_ guidoz
> <|>_DOT_ com) and I'll provide a link to the batch files and
> <|>such so you may modify them as you wish.
> <|>
> <|>Sorry for any confusion with the AV. I should of warned
> <|>about that in the original email. (Others have written me
> <|>asking the same question.) I only provided it to possibly
> <|>help others who have lots of friends asking them for help to
> <|>patch their systems. This simply sees if they are
> <|>vulnerable, then leads them through the steps to patch the
> <|>system if they are. (You may have to tell them to ignore AV
> <|>warnings, or disable the AV scanner. Again, I urge you to
> <|>test this on a NON-PRODUCTION machine first. See what it
> <|>contains, read the batch files, see what it downloads, etc.)
> <|>
> <|>Please feel free to ask me any questions. Hope it helps someone else.
> <|>
> <|>--
> <|>Peace. ~G
> <|>
> <|>
> <|>On Wed, 6 Oct 2004 20:59:28 -0500, RandallM
> <|><randallm@...mail.com> wrote:
> <|>>
> <|>> <|>--__--__--
> <|>> <|>
> <|>> <|>Message: 14
> <|>> <|>Date: Wed, 6 Oct 2004 15:53:32 -0700
> <|>> <|>From: GuidoZ <uberguidoz@...il.com>
> <|>> <|>Reply-To: GuidoZ <uberguidoz@...il.com>
> <|>> <|>To: full-disclosure@...ts.netsys.com
> <|>> <|>Subject: [Full-Disclosure] Quick JPEG/GDI test & fix
> <|>(timesaver)
> <|>> <|> <|>Hello list, <|> <|>I wrote a very simple program/batch file
> <|>> that tests for the JPEG <|>exploit, then if affected, provides
> <|>> instructions on how to patch the <|>exploit. It has been
> <|>tested on my
> <|>> own lil happy lab network, as well <|>as one one network
> <|>where I'm a
> <|>> sysadmin. (Tested on Windows XP Home <|>and Pro, SP1a and
> <|>SP2.) <|>
> <|>> <|>It DOES test for the exploit by attempting to use an
> <|>"infected" JPG
> <|>> <|>which downloads the instructions for fixing it, if
> <|>exploited. By
> <|>> <|>viewing the strings in the JPG, you can see the file it
> <|>downloads
> <|>> and <|>check it out for yourself. It's clean. =) Just
> <|>contains a batch
> <|>> file <|>and a program to launch the batch file. (The file
> <|>that gets
> <|>> <|>downloaded <|>is a simple SFX.) Links are below. It contains a
> <|>> warning saying it's <|>about to try to exploit the system
> <|>and to save
> <|>> data in open programs.
> <|>> <|>(It also warns that Explorer may crash.) <|> <|>I wrote
> <|>this merely
> <|>> to save myself time and allow friends/family to <|>test their own
> <|>> systems, then patch them without having to call me for
> <|><|>help. It's
> <|>> not been tested in every environment and in every <|>scenario.
> <|>> <|>If you find a problem, feel free to email me (exploit
> <|>_AT_ guidoz
> <|>> <|>_DOT_ com) Obviously I'm not responsible if it's abused
> <|><|>somehow,
> <|>> or if <|>it breaks something, etc. Feel free to modify it
> <|>to suit your
> <|>> own <|>needs, but use it at your own risk.
> <|>> <|>
> <|>> <|>Test can be downloaded from here:
> <|>> <|>http://www.guidoz.com/exploit-test.exe
> <|>> <|>
> <|>> <|>Again, it's just an SFX archive with a batch file. Hopefully it
> <|>> will <|>save someone else some time. I've used it to have
> <|>> friends/family (and <|>a few clients) patch a total of
> <|>around 30 machines without problems.
> <|>> <|>
> <|>> <|>--
> <|>> <|>Peace. ~G
> <|>> <|>
> <|>> <|>
> <|>> <|>--__--__--
> <|>> <|>
> <|>> <|>End of Full-Disclosure Digest
> <|>> <|>
> <|>>
> <|>> Well, guess I'm safe. McAfee saw it as
> <|>"Exploit-MntRedir.gen" and said...NO!
> <|>> I googled it and it found nothing though. Thought it would atleast
> <|>> lead me to McAfee. McAfee search said:
> <|>>
> <|>> "We found no records matching the following criteria:
> <|>> Virus name containing "MntRedir.gen".
> <|>> Please try narrowing your search by using fewer characters".
> <|>>
> <|>> What gives?
> <|>>
> <|>> thank you
> <|>> Randall M
> <|>>
> <|>> _______________________________________________
> <|>> Full-Disclosure - We believe in it.
> <|>> Charter: http://lists.netsys.com/full-disclosure-charter.html
> <|>>
> <|>
>
>
Powered by blists - more mailing lists