Re: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs

From: GuidoZ (uberguidoz_at_gmail.com)
Date: 10/08/04

  • Next message: Martin Viktora: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"
    To: RandallM <randallm@fidmail.com>
    Date: Fri, 8 Oct 2004 01:22:50 -0500
    
    

    > Didn't mean to have you apologize, it did it's job. It showed
    > That I was not vulnerable. I just found it interesting that my
    > AV called it something that could not be found through search.

    No worries Randall. =) I really should of warned about the possible AV
    warnings, as some might not understand what;s actually going on. (I've
    gotten a few emails like "Ha! My antivirus stopped your ploy to infect
    me".) =P I can't explain it much better then I have.

    I figured that most people on this list would understand what was
    REALLY happening, but I should plan for as many scenarios as possible.
    This includes those that wouldn't understand what the virus warnings
    mean. Thanks for your clarification though Randall. Appreciate it. ;)

    --
    Peace. ~G
    On Thu, 7 Oct 2004 06:02:02 -0500, RandallM <randallm@fidmail.com> wrote:
    > GuidoZ
    > Didn't mean to have you apologize, it did it's job. It showed
    > That I was not vulnerable. I just found it interesting that my
    > AV called it something that could not be found through search.
    > 
    > thank you
    > Randall M
    > 
    > <|>-----Original Message-----
    > <|>From: GuidoZ [mailto:uberguidoz@gmail.com]
    > <|>Sent: Thursday, October 07, 2004 1:16 AM
    > <|>To: RandallM
    > <|>Cc: full-disclosure@lists.netsys.com
    > <|>Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest,
    > <|>Vol 1 #1955 - 19 msgs
    > <|>
    > <|>It might be detected as Trojan.Moo or any other variant of
    > 
    > 
    > <|>the JPEG exploit. As I said, it attempts to exploit the
    > <|>system to see if it's vulnerable, using an "infected" JPG.
    > <|>The file I provided is simply a SFX with a batch file and
    > <|>the "infecte" JPG (named exploit.bak). No attempt has been
    > <|>made at all to mask what's inside.
    > <|>
    > <|>I figured those that would want to use it would either not
    > <|>worry about the virus warnings, or not get them at all and
    > <|>REALLY need the fix it helps provide. =) Email me at the
    > <|>address provided in my original email (exploit _AT_ guidoz
    > <|>_DOT_ com) and I'll provide a link to the batch files and
    > <|>such so you may modify them as you wish.
    > <|>
    > <|>Sorry for any confusion with the AV. I should of warned
    > <|>about that in the original email. (Others have written me
    > <|>asking the same question.) I only provided it to possibly
    > <|>help others who have lots of friends asking them for help to
    > <|>patch their systems. This simply sees if they are
    > <|>vulnerable, then leads them through the steps to patch the
    > <|>system if they are. (You may have to tell them to ignore AV
    > <|>warnings, or disable the AV scanner. Again, I urge you to
    > <|>test this on a NON-PRODUCTION machine first. See what it
    > <|>contains, read the batch files, see what it downloads, etc.)
    > <|>
    > <|>Please feel free to ask me any questions. Hope it helps someone else.
    > <|>
    > <|>--
    > <|>Peace. ~G
    > <|>
    > <|>
    > <|>On Wed, 6 Oct 2004 20:59:28 -0500, RandallM
    > <|><randallm@fidmail.com> wrote:
    > <|>>
    > <|>> <|>--__--__--
    > <|>> <|>
    > <|>> <|>Message: 14
    > <|>> <|>Date: Wed, 6 Oct 2004 15:53:32 -0700
    > <|>> <|>From: GuidoZ <uberguidoz@gmail.com>
    > <|>> <|>Reply-To: GuidoZ <uberguidoz@gmail.com>
    > <|>> <|>To: full-disclosure@lists.netsys.com
    > <|>> <|>Subject: [Full-Disclosure] Quick JPEG/GDI test & fix
    > <|>(timesaver)
    > <|>> <|> <|>Hello list, <|> <|>I wrote a very simple program/batch file
    > <|>> that tests for the JPEG <|>exploit, then if affected, provides
    > <|>> instructions on how to patch the <|>exploit. It has been
    > <|>tested on my
    > <|>> own lil happy lab network, as well <|>as one one network
    > <|>where I'm a
    > <|>> sysadmin. (Tested on Windows XP Home <|>and Pro, SP1a and
    > <|>SP2.) <|>
    > <|>> <|>It DOES test for the exploit by attempting to use an
    > <|>"infected" JPG
    > <|>> <|>which downloads the instructions for fixing it, if
    > <|>exploited. By
    > <|>> <|>viewing the strings in the JPG, you can see the file it
    > <|>downloads
    > <|>> and <|>check it out for yourself. It's clean. =) Just
    > <|>contains a batch
    > <|>> file <|>and a program to launch the batch file. (The file
    > <|>that gets
    > <|>> <|>downloaded <|>is a simple SFX.) Links are below. It contains a
    > <|>> warning saying it's <|>about to try to exploit the system
    > <|>and to save
    > <|>> data in open programs.
    > <|>> <|>(It also warns that Explorer may crash.) <|> <|>I wrote
    > <|>this merely
    > <|>> to save myself time and allow friends/family to <|>test their own
    > <|>> systems, then patch them without having to call me for
    > <|><|>help. It's
    > <|>> not been tested in every environment and in every <|>scenario.
    > <|>> <|>If you find a problem, feel free to email me (exploit
    > <|>_AT_ guidoz
    > <|>> <|>_DOT_ com) Obviously I'm not responsible if it's abused
    > <|><|>somehow,
    > <|>> or if <|>it breaks something, etc. Feel free to modify it
    > <|>to suit your
    > <|>> own <|>needs, but use it at your own risk.
    > <|>> <|>
    > <|>> <|>Test can be downloaded from here:
    > <|>> <|>http://www.guidoz.com/exploit-test.exe
    > <|>> <|>
    > <|>> <|>Again, it's just an SFX archive with a batch file. Hopefully it
    > <|>> will <|>save someone else some time. I've used it to have
    > <|>> friends/family (and <|>a few clients) patch a total of
    > <|>around 30 machines without problems.
    > <|>> <|>
    > <|>> <|>--
    > <|>> <|>Peace. ~G
    > <|>> <|>
    > <|>> <|>
    > <|>> <|>--__--__--
    > <|>> <|>
    > <|>> <|>End of Full-Disclosure Digest
    > <|>> <|>
    > <|>>
    > <|>> Well, guess I'm safe. McAfee saw it as
    > <|>"Exploit-MntRedir.gen" and said...NO!
    > <|>> I googled it and it found nothing though. Thought it would atleast
    > <|>> lead me to McAfee. McAfee search said:
    > <|>>
    > <|>> "We found no records matching the following criteria:
    > <|>> Virus name containing "MntRedir.gen".
    > <|>> Please try narrowing your search by using fewer characters".
    > <|>>
    > <|>> What gives?
    > <|>>
    > <|>> thank you
    > <|>> Randall M
    > <|>>
    > <|>> _______________________________________________
    > <|>> Full-Disclosure - We believe in it.
    > <|>> Charter: http://lists.netsys.com/full-disclosure-charter.html
    > <|>>
    > <|>
    > 
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Martin Viktora: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"

    Relevant Pages

    • Re: Bullets in Quark
      ... I apologize for accidentally posting to the wrong place. ... > On Thu, 9 Jun 2005, Randall, Beth wrote: ...
      (microsoft.public.mac.office.word)
    • Re: I just got a Canon Rebel XT
      ... > I would be happy to apologize to Randall as soon as he apologizes for ... > jumping all over anybody who asks a question about how to photograph ...
      (alt.photography)
    • Re: I just got a Canon Rebel XT
      ... >> I would be happy to apologize to Randall as soon as he apologizes for ... >> jumping all over anybody who asks a question about how to photograph ...
      (alt.photography)