mailing list archives
RE: Spyware installs ... XP SP2 box
From: "Geraldo Rivera" <iamafraud () hotmail com>
Date: Tue, 05 Oct 2004 19:30:05 -0400
Thanks to everybody for all the info posted here. I wish I had a machine
available right now to set up a vanilla SP2 install so I could witness the
results of visiting the site again myself.
I did indeed say that I have visited the site in the past. However, I hadn't
in a number of months prior to this visit. I also did not discover any
adware/spyware that was installed on my machine prior to 10/2 (nor did
ad-aware, spybot, or pest-patrol). I trust in the info that has been posted
here, I just wish that I could witness it myself. I am very cautious when
surfing (I know somebody is going to tell me not cautious enough since I am
still using IE) so I am wondering what could have been installed prior to
this visit that allowed this install to happen without any interaction.
Regardless, thanks again to everybody for the good info, and a big fuck you
From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
To: "raize" <raize () gravito com>, <full-disclosure () lists netsys com>
Subject: RE: [Full-disclosure] Spyware installs ... XP SP2 box
Date: Tue, 5 Oct 2004 12:11:24 -0400
Thank you for the test Raize. I appreciate your time.
>One must assume that you are installing these "theme packs" via some
BHO (Browser Helper Object) that you
>installed previously or put the site on the "Always trust content from
this provider". Perhaps someone
>else can explain where I am missing the exploit, because a quick glance
over seems to indicate there is
>none for XP SP2. (I did not test this on SP1)
I think you are right. It seems the only person that was not prompted
for the install that was not running SP2 was the original author of this
thread who said that it was a previously visited site.
As far as users running SP1 there is no security warning that says an
executable is about to be installed. There is no Microsoft Update that
will prevent this from loading. Like most large organizations just
jumping to SP2 is not an option. It needs go though rigorous testing to
make sure it complies with all of our internal software.
Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of raize
Sent: Tuesday, October 05, 2004 9:29 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs ... XP SP2 box
The installed code is definitely:
However, there is no exploit here. I loaded this with a default honeypot
image of XPSP2 with IE as an Admin and nothing else installed other than
the drop down that asked me if I really wanted to trust this site for
installing an executable.
One must assume that you are installing these "theme packs" via some BHO
(Browser Helper Object) that you installed previously or put the site on
the "Always trust content from this provider". Perhaps someone else can
explain where I am missing the exploit, because a quick glance over
seems to indicate there is none for XP SP2. (I did not test this on SP1)
Spybot and Ad-aware do not catch and kill WinRebates and WinAd
spy/adware properly, but I have a batch command that will do it for you.
Included is a .zip of each IP contacted along with full URL request and
output. It also contains the contents of this email and the batch file
with these commands: (You'll want to rename the .txt to .bat)
cd "C:\Program Files\Winad Client"
taskkill /T /F /IM WinClt.exe
taskkill /T /F /IM WinAd.exe
taskkill /T /F /IM WebRebates0.exe
taskkill /T /F /IM WebRebates1.exe
rd /Q /S "Winad Client"
rd /Q /S "Web_Rebates"
taskkill /T /F /IM fjdria.exe
taskkill /T /F /IM ezSP_Px.exe
Full-Disclosure - We believe in it.
Express yourself instantly with MSN Messenger! Download today - it's FREE!
Full-Disclosure - We believe in it.