Just wanted to add that Norton Anti-Virus 2004 will detect this exploit and
pop up a warning, but also fails to halt its execution or protect the user
in any way.
So there is some measure of warning, but no real protection.
At 04:35 PM 3/29/2004 +0200, Jelmer wrote:
>The code used by this worm to exploit it's users at least partly is (i
>think) new , the vulnerability it abused has afaik not been published on
>eighter bugtraq or full-disclosure. possibly making it (one of?) the first
>worm to totally catch people offguard.
>
>It allows a mallicious person to take any action on an unsuspecting user who
>view's a specially prepared page's pc
>
>The known ingredient it uses is :
>http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.htm
l
>that has gone unpatched for over 5 months now
>
>The remainder of the exploit manages to confuse this same adodb.stream
>object enough to make it think it's being run from a local location
>
>You can protect yourself against it by running
>http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg
>
>
>I attached sample code myself to illustrate the problem, because
>http-equiv's was messy :)
>This one should be more straightforward to use
>
>Instructions :
>
>1. unzip
>2. overwrite exploit.exe with the executable you wish to run, or leave it
>untoched if you want to see some nice texturemapped rotation
>3. upload the files to a webserver
>4. view exploit.htm
>
>Tested on winxp pro all patches
>
>for the lazy ones among you can also view a demonstration here :
>
>http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
pop up a warning, but also fails to halt its execution or protect the user
in any way.
Here is what it thinks it is:
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.explo
it.6.html
So there is some measure of warning, but no real protection.
At 04:35 PM 3/29/2004 +0200, Jelmer wrote:
>The code used by this worm to exploit it's users at least partly is (i
>think) new , the vulnerability it abused has afaik not been published on
>eighter bugtraq or full-disclosure. possibly making it (one of?) the first
>worm to totally catch people offguard.
>
>It allows a mallicious person to take any action on an unsuspecting user who
>view's a specially prepared page's pc
>
>The known ingredient it uses is :
>http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-08/1758.htm
l
>that has gone unpatched for over 5 months now
>
>The remainder of the exploit manages to confuse this same adodb.stream
>object enough to make it think it's being run from a local location
>
>You can protect yourself against it by running
>http://ip3e83566f.speed.planet.nl/hacked-by-chinese/fix.reg
>
>
>I attached sample code myself to illustrate the problem, because
>http-equiv's was messy :)
>This one should be more straightforward to use
>
>Instructions :
>
>1. unzip
>2. overwrite exploit.exe with the executable you wish to run, or leave it
>untoched if you want to see some nice texturemapped rotation
>3. upload the files to a webserver
>4. view exploit.htm
>
>Tested on winxp pro all patches
>
>for the lazy ones among you can also view a demonstration here :
>
>http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm
[ reply ]