Re:[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box

From: devis (devis_at_easynix.net)
Date: 10/05/04

Next message: Thierry Carrez: "[ GLSA 200410-02 ] Netpbm: Multiple temporary file issues"

Previous message: m conover: "[Full-Disclosure] RE: On Polymorphic Evasion (an alphanumeric version)"
In reply to: Willem Koenings: "[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box"
Next in thread: GuidoZ: "Re: [Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 05 Oct 2004 03:34:18 +0200

<cruncher:~/jpegs > file
ATPartners.cab
[ 3:25AM]
ATPartners.cab: Microsoft Cabinet file, 52795 bytes, 2 files
<cruncher:~/jpegs > cabextract
ATPartners.cab
[ 3:25AM]
ATPartners.cab: WARNING; possible 5688 extra bytes at end of file.
Extracting cabinet: ATPartners.cab
extracting ATPartners.inf
extracting ATPartners.dll

All done, no errors.
<cruncher:~/jpegs > more
ATPartners.inf
[ 3:25AM]
[version]
signature="$CHICAGO$"
AdvancedINF=2.0

[DefaultInstall]
CopyFiles=CopySystemFiles
RegisterOCXs=RegisterOCXSection
AddReg=RegistryEntries
RegisterDlls=RegDlls

[CopySystemFiles]
ATPartners.dll,,,34

[RegDlls]
11,,ATPartners.dll, 1

[DestinationDirs]
CopySystemFiles=11

[RegisterOCXSection]
"%11%\ATPartners.dll"

[RegistryEntries]

[SourceDisksNames]
1="CAB File",,,
<cruncher:~/jpegs >file
ATPartners.dll
[ 3:25AM]
ATPartners.dll: MS-DOS executable (EXE), OS/2 or MS Windows
<cruncher:~/jpegs > strings ATPartners.dll

<-- Garbage cut -->

        F1.Organizer.1 = s 'F1 Organizer Class'
                CLSID = s '{00000EF1-0786-4633-87C6-1AA7A44296DA}'
        F1.Organizer = s 'F1 Organizer Class'
                CLSID = s '{00000EF1-0786-4633-87C6-1AA7A44296DA}'
                CurVer = s 'F1.Organizer.1'
        NoRemove CLSID
                ForceRemove {00000EF1-0786-4633-87C6-1AA7A44296DA} = s
'F1 Organizer Class'
                        ProgID = s 'F1.Organizer.1'
                        VersionIndependentProgID = s 'F1.Organizer'
                        ForceRemove 'Programmable'
                        InprocServer32 = s '%MODULE%'
                        {
                                val ThreadingModel = s 'Apartment'
                        }
                        'TypeLib' = s
'{EF100007-F409-426a-9E7C-CB211F2A9786}'
MSFT
.....
OLEAUT32.dll
USER32.dll
WININET.dll
LoadLibraryA
GetProcAddress
RegCloseKey
SaveDC
CoTaskMemFree
GetDC
InternetOpenA
F1.DLL
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
<cruncher:~/jpegs >

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Thierry Carrez: "[ GLSA 200410-02 ] Netpbm: Multiple temporary file issues"

Previous message: m conover: "[Full-Disclosure] RE: On Polymorphic Evasion (an alphanumeric version)"
In reply to: Willem Koenings: "[Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box"
Next in thread: GuidoZ: "Re: [Full-Disclosure] Re: Spyware installs with no interaction in IE on fully patched XP SP2 box"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]