Full Disclosure mailing list archives
Re: ADODB.Stream object
From: jelmer <jkuperus () planet nl>
Date: Wed, 27 Aug 2003 11:44:18 +0200
I am not big on viri so I looked it up : --- Mindjail is a new variant of Backdoor.SdBot code that once activated installs a backdoor into infected systems. IRC channels are scanned by bots seeking users, who are then spammed with the following messages: 1. "EEEEEEETHHHOOOM! MINDJAIL!! HE IS TRAPPED!! GET HIM OUT!" 2. "Ever heard of a thing called mindjail? Check it" Both messages are followed by a link to a file called mindjail.zip. The zip file contains a HTML file, "mindjail.html" which executes JavaScript code on vulnerable systems --- I know this thought also crossed my mind, I also recieved some mail born virusses wich used a similar scheme but one may argue that had the zip file contained a .vbs or .exe file, people would have openened it aswell. ----- Original Message ----- From: "Nick FitzGerald" <nick () virus-l demon co uk> To: <full-disclosure () lists netsys com> Sent: Wednesday, August 27, 2003 4:20 AM Subject: Re: [Full-disclosure] ADODB.Stream object
jelmer <jkuperus () planet nl> wrote: <<snip interesting stuff>>I dont think it in it self can not be concidered a security vulnerabilty
as
it only works when the file containing the code is present on a users harddisk, though html files are generally considered trusted and you can probably trick some people into opening an html file by sending it to
them
through msn messenger or whatever. It can most likely be used to leverage other vulnerabilities, for
instance
many programs download information to predictable locations from where
you
might invoke it.I do not see this as much of an issue/problem for widespread exploitation of this. Recall the (modest) "success" of the MindJail virus, and the ongoing success of Mijail (which is by far the most prevalent mass-mailing virus this month if you ignore the Sobig.F freak). Both of these viruses exploited a "My Computer" zone-only IE vulnerability, depending on the typical handling of files from inside archives being placed into %TEMP% despite their source archives clearly being handled in the TIF. Of course, MS (and thus IE) cannot manage third-party programs handling of files passed out of of IE's security zones... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ADODB.Stream object jelmer (Aug 26)
- Re: ADODB.Stream object Thor Larholm (Aug 26)
- RE: ADODB.Stream object Richard M. Smith (Aug 26)
- Re: ADODB.Stream object Thor Larholm (Aug 26)
- RE: ADODB.Stream object Richard M. Smith (Aug 26)
- Re: ADODB.Stream object Stephen Clowater (Aug 26)
- RE: ADODB.Stream object Nick FitzGerald (Aug 26)
- RE: ADODB.Stream object Richard M. Smith (Aug 26)
- Re: ADODB.Stream object Thor Larholm (Aug 26)
- Re: ADODB.Stream object Nick FitzGerald (Aug 26)
- Re: ADODB.Stream object jelmer (Aug 27)
- Re: ADODB.Stream object Nick FitzGerald (Aug 27)
- Re: ADODB.Stream object jelmer (Aug 27)