Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Spyware installs with no interaction in IE on fully patched XP SP2 box
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 4 Oct 2004 09:51:04 -0500

Yep Themexp.org was my wallpaper stop for a while. But it was taken over
by new owners a whlie ago about and it is  turning south, into a
adware/spyware/pop-up site. Kinda sad, it was a very good site. 

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Geraldo Rivera
Sent: Monday, October 04, 2004 8:47 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs with no 
interaction in IE on fully patched XP SP2 box

themexp.org

I should have logged all the files and reg entries I deleted, 
but it was late at night and I wasn't really thinking about 
that at the time. I just checked my IE history for some of 
the things I googled and I found a bunch of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com) IEPlugin 
localnrd.dll multimpp.dll

From: "Joel R. Helgeson" <joel () helgeson com>
To: "Geraldo Rivera" 
<iamafraud () hotmail com>,<full-disclosure () lists netsys com>
Subject: Re: [Full-disclosure] Spyware installs with no 
interaction in 
IE on fully patched XP SP2 box
Date: Sun, 3 Oct 2004 14:13:52 -0500

What was the site?

Joel R. Helgeson
Director of Networking & Security Services SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on 
fire, and 
he'll be warm for the rest of his life."
----- Original Message ----- From: "Geraldo Rivera" 
<iamafraud () hotmail com>
To: <full-disclosure () lists netsys com>
Sent: Sunday, October 03, 2004 1:16 PM
Subject: [Full-disclosure] Spyware installs with no 
interaction in IE 
on fully patched XP SP2 box


Last night I went to a site that I have been to on and off 
for years. 
The page loaded and then in IE's status bar I saw something 
suspicious:
"installing components...atpartners.cab". I could not close 
out of IE, 
and I could not kill the iexplorer.exe process. It totally 
locked up 
and I had to reboot my machine. When my machine came back 
up, I had at 
least 6 different pieces of spyware/adware on my machine. 
IT took me 
almost 2 hrs to clean up. I manually deleted a bunch of 
crap (stuff I 
had found through the run key in the registry, suspicious processes 
running, suspicious files in the usual dir's, and by 
searching for all 
files modified at the time this happened). Even after all that, 
Ad-Aware found 143 entries (none were cookies, mostly 
registry entries 
and a few dll's) and then Spybot found an additional 2 
registry entries.

This machine is a fully patched XP SP2 box, with the 
default security 
settings for IE's Internet Zone. Does anybody know what method this 
crap could be using to install without any user interaction?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download 
today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today 
- it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault