Re: Is this a new virus ?

From: Dave Korn (no.spam_at_my.mailbox.invalid)
Date: 07/28/03

  • Next message: Didi: "Re: How Java work with PKCS12?" 
    Date: Mon, 28 Jul 2003 16:42:14 +0100

    "Walter Dnes" <waltdnes@waltdnes.org> wrote in message
    news:bg11fm$jmr6v$2@ID-146822.news.uni-berlin.de...
    > I got the following in my inbox today.

    It's a fairly well known virus, although I don't know the name. It has the
    distinction of being the first to spread by using the IE self-executing HTML
    exploits developed by malware.com and greymagic security.

    > > [-- Attachment #2: readme.zip --]
    > > [-- Type: text/plain, Encoding: base64, Size: 1.6K --]
    > > Content-Type: text/plain; name="readme.zip"
    > > Content-Transfer-Encoding: base64
    > > Content-Disposition: attachment; filename="readme.zip"
    > > Content-ID: <readme.zip>

    The zip encapsulation is basically irrelevant, although it does make it
    harder for some AV software to spot.

    > They weren't kidding about "details in readme.htm file" either. I
    > unzipped it and the so-called "readme.htm" file began with...
    >
    > > MIME-Version: 1.0
    > > Content-Location:file:///aaa.exe
    > > Content-Transfer-Encoding: base64
    > >
    > > TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAA
    >
    > [...snip rest of EXE...] Yes folks, an executable file. This was
    > followed by some funky javascript...

    ..of which the critical bit is ...

    ><object
    > classid="clsid:11111111-1111-1111-1111"
    > CODEBASE="mhtml:'+path+'\\readme.htm!file:///aaa.exe"></object>')}

    > I don't claim to understand javascript or Windows. Am I reading this
    > properly ? Opening "readme.htm" with IE will launch an EXE file ???

    ... see http://www.malware.com/broked.html

    see also all other pages at http://www.malware.com/ and at
    http://sec.greymagic.com/adv/

    > Since this is all done locally, I assume that what passes for "internet
    > security" on Windows won't be invoked, and the program will have the
    > full privileges of the user.

    Well, the internet security is applied to the original .html file. But that
    doesn't do much: when you launch a .html file from a local folder, you are
    running in the 'My computer' security zone, which by default permits all
    active-x and scripting and offers no warnings. This then permits the
    CODEBASE exploit (which can be defeated if you refuse active-x) to be used
    to get the executable running; and, as you say, once the exe is running it
    is outside the IE sandbox and has the full privs of the user.

    By default, the IE Security zones property *** hides the "My computer"
    zone, preventing you from editing it. To enable the display of the "My
    computer" zone and edit the security properties, you need to find the
    registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
    Settings\Zones\0

    and edit the "Flags" value under it. This starts of as 0x21 (REG_DWORD) and
    should be changed to 0x01. I don't remember if you have to shutdown and
    restart explorer or if the change takes effect immediately, but once you've
    done that you can lock down active-x and scripts from running locally. I
    set them to prompt, rather than disabling them totally, because the M$ HTML
    help for MSDN / VC etc. uses both scripts and active-x extensively.

            DaveK 

    --
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD
  • Next message: Didi: "Re: How Java work with PKCS12?"
    • Quantcast