Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: new internet explorer exploit (was new worm)
From: Jelmer <jkuperus () planet nl>
Date: Tue, 30 Mar 2004 13:00:29 +0200

And even that small measure of warning is trivially defeated

if I change the url in my exploit.htm from




It gives no warning whatsoever, proofing once again that you  shouldn't
solely rely on virus scanners, though others might do a better job, I can't
imagine anyone doing it worse

----- Original Message ----- 
From: "Void" <void () sect net>
To: "Jelmer" <jkuperus () planet nl>; <full-disclosure () lists netsys com>;
<bugtraq () securityfocus com>
Sent: Monday, March 29, 2004 9:15 PM
Subject: Re: new internet explorer exploit (was new worm)

Just wanted to add that Norton Anti-Virus 2004 will detect this exploit
pop up a warning, but also fails to halt its execution or protect the user
in any way.

Here is what it thinks it is:


So there is some measure of warning, but no real protection.

At 04:35 PM 3/29/2004 +0200, Jelmer wrote:
The code used by this worm to exploit it's users at least partly  is (i
think) new , the vulnerability it abused has afaik not been published on
eighter bugtraq or full-disclosure. possibly making it (one of?) the
worm to totally catch people offguard.

It allows a mallicious person to take any action on an unsuspecting user
view's a specially prepared page's pc

The known ingredient it uses is :
that has gone unpatched for over 5 months now

The remainder of the exploit manages to confuse this same adodb.stream
object enough to make it think it's being run from a local location

You can protect yourself against it by running

I attached sample code myself to illustrate the problem, because
http-equiv's was messy :)
This one should be more straightforward to use

Instructions :

1. unzip
2. overwrite exploit.exe with the executable you wish to run, or leave it
untoched if you want to see some nice texturemapped rotation
3. upload the files to a webserver
4. view exploit.htm

Tested on winxp pro all patches

for the lazy ones among you can also view a demonstration here :


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]