IE/WMP Exploit

From: Carlos Kramer (
Date: 06/15/04

  • Next message: Matthew Pope: "Re: Simple Windows incident response methodology"
    Date: Tue, 15 Jun 2004 00:19:49 +0000

    I saw the analysis and the stuff I've seen appears to be
    different and use a different exploit - maybe just a variation on a theme?
    But it overwrites wmplayer.exe and seems to use a WMP exploit as well as
    IE exploits.

    It comprimises a fully patched Windows 2000, IE6, WMP7 machine.

    FWIW attached is some information and a copy of the file which replaced
    Windows Media Player. Unfortunately I couldn't capture the actual exploit
    code but I'm sure its available to those who wish to dig.

    The URL which linked to the exploit was at:-

    This popped up six windows which installed both the default-homepage-network
    hijacker and also some nasty stuff from
    is bogus and moves quickly - when I got the executable it was on a
    unused parked server at a large hosting company. It is currently resolving
    to -

    These URLs were used to do the compromise:-

    This crashed Windows Media Player and then it was overwritten with a small
    windows executable (I have it if you want it) - this was called wmplayer.exe
    and was in the Windows Media Player folder. The real Windows Media Player
    had been deleted.

    Windows Media Player showed this error:-

    Invalid name: mmsu:///. The file name specified is incorrect.
    Invalid name: http:///. The file name specified is incorrect.
    Cannot open. Please verify that the path and filename are correct and try
    again. (Error=C00D002B)

    The next time a WMP media file was accessed the new wmplayer.exe file ran
    and installed lots of adware, junkware, spyware etc, etc. BetterInternet,
    ClockSync, Internet Speed Check, and much more...

    Anyway attached is a decription of the various windows which popped up and
    their contents. I don't know if this is of interest to anyone or even the
    correct forum - but hopefully its of use. (I put them in an attachment as
    they have scripts and HTML which email clients may try to render).

    Looking to buy a house? Get informed with the Home Buying Guide from MSN
    House & Home.


    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of

    Download your free trial at

  • Next message: Matthew Pope: "Re: Simple Windows incident response methodology"