Back to list
Re: a dangerous fast spreading (yet simple) trojan horse.
Oct 27 2003 05:47PM
K-OTiK Security (Special-Alerts k-otik com)
it uses a well known IE unpatched vulnerability discovered by jelmer on Sep 11 2003 "Windows Media Player & Internet Explorer File Download and Execution" :
To prevent this exploit : Disable Active Scripting
K-Otik Staff /// http://www.k-otik.com
----------------------- POC -------------------------
var x = new ActiveXObject("Microsoft.XMLHTTP");
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
>From: "Gadi Evron" <ge (at) egotistical.reprehensible (dot) net [email concealed]>
>Subject: a dangerous fast spreading (yet simple) trojan horse.
>Date: Mon, 27 Oct 2003 16:52:57 -0800
>I usually do not email about "new" trojan horses unless they have
>something "special" about them, for there are a lot of them coming out
>non-stop. However, with this one,
>Although quite simple, is very destructive and spreading at incredible
>The trojan horse spreads by people going to different URL's to download
>a *.jpg (started with britney.jpg).
>The jpeg is actually an HTML file, and when the web browser receives it,
>it thinks that it is a server error message for the file not existing,
>and loads the page.
>attempt to hide what it does, downloads patch.exe and replaces
>mplayer.exe with the new file.
>patch.exe connects to the mIRC DDE server, causing mIRC to spam, and
>then it start ruining the system's registry. Starting to delete keys at
>root and enumerating from there, one at a time.
>What I signify, and forgive my language, as an "Hump and dump" trojan
>This reminds me of the first patch.exe trojan horse, that was purely a
>destructive file - back in 95/96.
>I would also like to commend angelfire for shutting down the first web
>page this appeared on very quickly. They always respond to abuse in a
>timely manner. The geocities page is still up last time I checked.
>Not very complicated, but interesting, and very dangerous.
> Gadi Evron (i.e. ge),
> ge (at) linuxbox (dot) org. [email concealed]
>gevron (at) netvision.net (dot) il [email concealed]
>PGP Key: 2048/2048 (Size) 0x2D3D6741 (ID).
>Fingerprint: 0EB3 00BC 974B 3C2B 336D 6486 ECA5 2D0D 2D3D 6741.
[ reply ]
Copyright 2010, SecurityFocus