Re: AIM Password theft
Date: 09/24/03

  • Next message: DarkKnight: "Re: [Fwd: Re: AIM Password theft]"
    To: <>
    Date: Wed, 24 Sep 2003 18:44:47 -0000


     Out of curiosity I
    followed that link which loaded start.html (attached).


    Caution: off-site archives will and have already stored this as:

    text/plain attachment: start.txt

    Tested on neohapsis


    Due to the 'never-addressed-mime-issue' of Internet Explorer reading
    even dog poo as html, opening start.txt will effect the exploit


     C:\Program Files\Windows Media Player\wmplayer.exe

    will be overwritten by simply viewing the attached text file.

    It is apparent the original intended payload .exe is no longer at the
    location, but the wmplayer.exe is still overwritten with a 1KB
    wmplayer.exe containing the following:

    <TITLE>404 Not Found</TITLE>
    <H1>Not Found</H1>
    The requested URL /eg/1.exe was not found on this server.<P>
    <ADDRESS>Apache/1.3.26 Server at Port 80</ADDRESS>


  • Next message: DarkKnight: "Re: [Fwd: Re: AIM Password theft]"