Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 4 Oct 2004 09:51:04 -0500
Yep Themexp.org was my wallpaper stop for a while. But it was taken over
by new owners a whlie ago about and it is  turning south, into a
adware/spyware/pop-up site. Kinda sad, it was a very good site. 


-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
Geraldo Rivera
Sent: Monday, October 04, 2004 8:47 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs with no 
interaction in IE on fully patched XP SP2 box

themexp.org

I should have logged all the files and reg entries I deleted, 
but it was late at night and I wasn't really thinking about 
that at the time. I just checked my IE history for some of 
the things I googled and I found a bunch of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com) IEPlugin 
localnrd.dll multimpp.dll


From: "Joel R. Helgeson" <joel () helgeson com>
To: "Geraldo Rivera" 
<iamafraud () hotmail com>,<full-disclosure () lists netsys com>
Subject: Re: [Full-disclosure] Spyware installs with no 

interaction in 

IE on fully patched XP SP2 box
Date: Sun, 3 Oct 2004 14:13:52 -0500

What was the site?

Joel R. Helgeson
Director of Networking & Security Services SymetriQ Corporation

"Give a man fire, and he'll be warm for a day; set a man on 

fire, and 

he'll be warm for the rest of his life."
----- Original Message ----- From: "Geraldo Rivera" 
<iamafraud () hotmail com>
To: <full-disclosure () lists netsys com>
Sent: Sunday, October 03, 2004 1:16 PM
Subject: [Full-disclosure] Spyware installs with no 

interaction in IE 

on fully patched XP SP2 box



Last night I went to a site that I have been to on and off 

for years. 

The page loaded and then in IE's status bar I saw something 

suspicious:

"installing components...atpartners.cab". I could not close 

out of IE, 

and I could not kill the iexplorer.exe process. It totally 

locked up 

and I had to reboot my machine. When my machine came back 

up, I had at 

least 6 different pieces of spyware/adware on my machine. 

IT took me 

almost 2 hrs to clean up. I manually deleted a bunch of 

crap (stuff I 

had found through the run key in the registry, suspicious processes 
running, suspicious files in the usual dir's, and by 

searching for all 

files modified at the time this happened). Even after all that, 
Ad-Aware found 143 entries (none were cookies, mostly 

registry entries 

and a few dll's) and then Spybot found an additional 2 

registry entries.


This machine is a fully patched XP SP2 box, with the 

default security 

settings for IE's Internet Zone. Does anybody know what method this 
crap could be using to install without any user interaction?

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download 

today - it's FREE! 

hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today 
- it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: