Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [Full-Disclosure] RE: Full-disclosure digest, Vol 1 #1955 - 19 msgs
From: GuidoZ <uberguidoz () gmail com>
Date: Wed, 6 Oct 2004 23:15:47 -0700

It might be detected as Trojan.Moo or any other variant of the JPEG
exploit. As I said, it attempts to exploit the system to see if it's
vulnerable, using an "infected" JPG. The file I provided is simply a
SFX with a batch file and the "infecte" JPG (named exploit.bak). No
attempt has been made at all to mask what's inside.

I figured those that would want to use it would either not worry about
the virus warnings, or not get them at all and REALLY need the fix it
helps provide. =) Email me at the address provided in my original
email (exploit _AT_ guidoz _DOT_ com) and I'll provide a link to the
batch files and such so you may modify them as you wish.

Sorry for any confusion with the AV. I should of warned about that in
the original email. (Others have written me asking the same question.)
I only provided it to possibly help others who have lots of friends
asking them for help to patch their systems. This simply sees if they
are vulnerable, then leads them through the steps to patch the system
if they are. (You may have to tell them to ignore AV warnings, or
disable the AV scanner. Again, I urge you to test this on a
NON-PRODUCTION machine first. See what it contains, read the batch
files, see what it downloads, etc.)

Please feel free to ask me any questions. Hope it helps someone else.

Peace. ~G

On Wed, 6 Oct 2004 20:59:28 -0500, RandallM <randallm () fidmail com> wrote:

<|>Message: 14
<|>Date: Wed, 6 Oct 2004 15:53:32 -0700
<|>From: GuidoZ <uberguidoz () gmail com>
<|>Reply-To: GuidoZ <uberguidoz () gmail com>
<|>To: full-disclosure () lists netsys com
<|>Subject: [Full-disclosure] Quick JPEG/GDI test & fix (timesaver)
<|>Hello list,
<|>I wrote a very simple program/batch file that tests for the JPEG
<|>exploit, then if affected, provides instructions on how to patch the
<|>exploit. It has been tested on my own lil happy lab network, as well
<|>as one one network where I'm a sysadmin. (Tested on Windows XP Home
<|>and Pro, SP1a and SP2.)
<|>It DOES test for the exploit by attempting to use an "infected" JPG
<|>which downloads the instructions for fixing it, if exploited. By
<|>viewing the strings in the JPG, you can see the file it downloads and
<|>check it out for yourself. It's clean. =) Just contains a batch file
<|>and a program to launch the batch file. (The file that gets
<|>is a simple SFX.) Links are below. It contains a warning saying it's
<|>about to try to exploit the system and to save data in open programs.
<|>(It also warns that Explorer may crash.)
<|>I wrote this merely to save myself time and allow friends/family to
<|>test their own systems, then patch them without having to call me for
<|>help. It's not been tested in every environment and in every
<|>If you find a problem, feel free to email me (exploit _AT_ guidoz
<|>_DOT_ com) Obviously I'm not responsible if it's abused
<|>somehow, or if
<|>it breaks something, etc. Feel free to modify it to suit your own
<|>needs, but use it at your own risk.
<|>Test can be downloaded from here:
<|>Again, it's just an SFX archive with a batch file. Hopefully it will
<|>save someone else some time. I've used it to have friends/family (and
<|>a few clients) patch a total of around 30 machines without problems.
<|>Peace. ~G
<|>End of Full-Disclosure Digest

Well, guess I'm safe. McAfee saw it as "Exploit-MntRedir.gen" and said...NO!
I googled it and it found nothing though. Thought it would atleast lead me
to McAfee. McAfee search said:

"We found no records matching the following criteria:
Virus name containing "MntRedir.gen".
Please try narrowing your search by using fewer characters".

What gives?

thank you
Randall M

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]