Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Spyware installs with no interaction in IE on fully patched XP SP2 box
From: "Carr, Robert" <rcarr () email uky edu>
Date: Mon, 4 Oct 2004 10:23:41 -0400


Interesting...

I just went there, and he's right. Atpartners.cab installed without
permission. My McAfee picked it right up as Atpartners.dll, downloaded
to Temp Internet files. Spyware detected as NetPals. On the other hand,
I'm admin of my machine, I wonder if a "user" would get an error message
about not having the correct rights...

Thanks,
 
Robert

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Geraldo
Rivera
Sent: Monday, October 04, 2004 9:47 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs with no interaction in
IE on fully patched XP SP2 box

themexp.org

I should have logged all the files and reg entries I deleted, but it was

late at night and I wasn't really thinking about that at the time. I
just 
checked my IE history for some of the things I googled and I found a
bunch 
of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com)
IEPlugin
localnrd.dll
multimpp.dll

From: "Joel R. Helgeson" <joel () helgeson com>
To: "Geraldo Rivera" 
<iamafraud () hotmail com>,<full-disclosure () lists netsys com>
Subject: Re: [Full-disclosure] Spyware installs with no interaction in
IE 
on fully patched XP SP2 box
Date: Sun, 3 Oct 2004 14:13:52 -0500

What was the site?

Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on fire, and
he'll 
be warm for the rest of his life."
----- Original Message ----- From: "Geraldo Rivera"
<iamafraud () hotmail com>
To: <full-disclosure () lists netsys com>
Sent: Sunday, October 03, 2004 1:16 PM
Subject: [Full-disclosure] Spyware installs with no interaction in IE
on 
fully patched XP SP2 box


Last night I went to a site that I have been to on and off for years.
The 
page loaded and then in IE's status bar I saw something suspicious: 
"installing components...atpartners.cab". I could not close out of IE,
and 
I could not kill the iexplorer.exe process. It totally locked up and I
had 
to reboot my machine. When my machine came back up, I had at least 6 
different pieces of spyware/adware on my machine. IT took me almost 2
hrs 
to clean up. I manually deleted a bunch of crap (stuff I had found
through 
the run key in the registry, suspicious processes running, suspicious 
files in the usual dir's, and by searching for all files modified at
the 
time this happened). Even after all that, Ad-Aware found 143 entries
(none 
were cookies, mostly registry entries and a few dll's) and then Spybot

found an additional 2 registry entries.

This machine is a fully patched XP SP2 box, with the default security 
settings for IE's Internet Zone. Does anybody know what method this
crap 
could be using to install without any user interaction?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's
FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]