|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/octet-stream attachment: Details.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
From: Geraldo Rivera (iamafraud
hotmail.com)
Date: Sun Oct 03 2004 - 13:16:40 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Last night I went to a site that I have been to on and off for years. The
page loaded and then in IE's status bar I saw something suspicious:
"installing components...atpartners.cab". I could not close out of IE, and I
could not kill the iexplorer.exe process. It totally locked up and I had to
reboot my machine. When my machine came back up, I had at least 6 different
pieces of spyware/adware on my machine. IT took me almost 2 hrs to clean up.
I manually deleted a bunch of crap (stuff I had found through the run key in
the registry, suspicious processes running, suspicious files in the usual
dir's, and by searching for all files modified at the time this happened).
Even after all that, Ad-Aware found 143 entries (none were cookies, mostly
registry entries and a few dll's) and then Spybot found an additional 2
registry entries.
This machine is a fully patched XP SP2 box, with the default security
settings for IE's Internet Zone. Does anybody know what method this crap
could be using to install without any user interaction?
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
From: Joel R. Helgeson (joelhelgeson.com)
Date: Sun Oct 03 2004 - 14:13:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
What was the site?
Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation
"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll
be warm for the rest of his life."
----- Original Message -----
From: "Geraldo Rivera" <iamafraudhotmail.com>
To: <full-disclosurelists.netsys.com>
Sent: Sunday, October 03, 2004 1:16 PM
Subject: [Full-Disclosure] Spyware installs with no interaction in IE on
fully patched XP SP2 box
> Last night I went to a site that I have been to on and off for years. The
> page loaded and then in IE's status bar I saw something suspicious:
> "installing components...atpartners.cab". I could not close out of IE, and
> I could not kill the iexplorer.exe process. It totally locked up and I had
> to reboot my machine. When my machine came back up, I had at least 6
> different pieces of spyware/adware on my machine. IT took me almost 2 hrs
> to clean up. I manually deleted a bunch of crap (stuff I had found through
> the run key in the registry, suspicious processes running, suspicious
> files in the usual dir's, and by searching for all files modified at the
> time this happened). Even after all that, Ad-Aware found 143 entries (none
> were cookies, mostly registry entries and a few dll's) and then Spybot
> found an additional 2 registry entries.
>
> This machine is a fully patched XP SP2 box, with the default security
> settings for IE's Internet Zone. Does anybody know what method this crap
> could be using to install without any user interaction?
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
From: Harlan Carvey (keydet89yahoo.com)
Date: Sun Oct 03 2004 - 14:36:38 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > This machine is a fully patched XP SP2 box, with
> the default security
> > settings for IE's Internet Zone. Does anybody know
> what method this crap
> > could be using to install without any user
> interaction?
It's a little hard to tell accurately without taking a
look at what you removed; ie, saying that you cleaned
things out of the Registry is great, but without
knowing what keys you "cleaned", it's hard to tell.
However, doing a quick search on Google for
"atpartners", some of the info I found points to
BHOs...
Sorry, wish I could help more, but I'd need more info...
=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://groups.yahoo.com/group/windowsir/
"Meddle not in the affairs of dragons, for
you are crunchy, and good with ketchup."
"The simplicity of this game amuses me.
Bring me your finest meats and cheeses."
------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
From: GuidoZ (uberguidozgmail.com)
Date: Sun Oct 03 2004 - 14:29:09 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
What's the website address? Most likely looking at the html/scripting
would be the easiest way to find the answer.
--
Peace. ~G
On Sun, 03 Oct 2004 14:16:40 -0400, Geraldo Rivera
<iamafraudhotmail.com> wrote:
> Last night I went to a site that I have been to on and off for years. The
> page loaded and then in IE's status bar I saw something suspicious:
> "installing components...atpartners.cab". I could not close out of IE, and I
> could not kill the iexplorer.exe process. It totally locked up and I had to
> reboot my machine. When my machine came back up, I had at least 6 different
> pieces of spyware/adware on my machine. IT took me almost 2 hrs to clean up.
> I manually deleted a bunch of crap (stuff I had found through the run key in
> the registry, suspicious processes running, suspicious files in the usual
> dir's, and by searching for all files modified at the time this happened).
> Even after all that, Ad-Aware found 143 entries (none were cookies, mostly
> registry entries and a few dll's) and then Spybot found an additional 2
> registry entries.
>
> This machine is a fully patched XP SP2 box, with the default security
> settings for IE's Internet Zone. Does anybody know what method this crap
> could be using to install without any user interaction?
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[Full-Disclosure] Re: Hi
From: Ndebaggis (ndebaggisverizon.net)
Date: Sun Oct 03 2004 - 15:21:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]