Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new internet explorer exploit (was new worm)

From: Void <void () sect net>
Date: Mon, 29 Mar 2004 11:15:18 -0800
Just wanted to add that Norton Anti-Virus 2004 will detect this exploit and pop up a warning, but also fails to halt its execution or protect the user in any way. 

Here is what it thinks it is:

http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html

So there is some measure of warning, but no real protection.


At 04:35 PM 3/29/2004 +0200, Jelmer wrote:

The code used by this worm to exploit it's users at least partly  is (i
think) new , the vulnerability it abused has afaik not been published on
eighter bugtraq or full-disclosure. possibly making it (one of?) the first
worm to totally catch people offguard.

It allows a mallicious person to take any action on an unsuspecting user who
view's a specially prepared page's pc

The known ingredient it uses is :
http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.html
that has gone unpatched for over 5 months now

The remainder of the exploit manages to confuse this same adodb.stream
object enough to make it think it's being run from a local location

You can protect yourself against it by running
http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg


I attached sample code myself to illustrate the problem, because
http-equiv's was messy :)
This one should be more straightforward to use

Instructions :

1. unzip
2. overwrite exploit.exe with the executable you wish to run, or leave it
untoched if you want to see some nice texturemapped rotation
3. upload the files to a webserver
4. view exploit.htm

Tested on winxp pro all patches

for the lazy ones among you can also view a demonstration here :

http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
Previous By Date Next
Previous By Thread Next

Current thread: