OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
http-equiv_at_excite.com
Date: Fri Jul 26 2002 - 04:48:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Nick FitzGerald <nickvirus-l.demon.co.uk> said:

    > Jeff Kell <jeff-kellutc.edu> replied to http-equivmalware.com:
    >
    > [I thought I replied to "http-equiv"'s message earlier, but on
    > checking I sent it direct, not to the lists...]
    >
    > > > Just tested something here. Typically IE can or will open files
    > > > depending what the contents are regardless of the extension
    that it
    > > > is: <html> tag in a gif or some other file type should or can be
    > > > rendered by IE for what the contents are, not the extension.
    > >
    > > The Windows run function (IE viewer) ignores the extension (sort
    of) if
    > > the file is in a portable OLE-type format. For example, go in
    Word and
    > > create "foo.doc". Exit and rename "foo.doc" to "foo.fubar".
    Double
    > > click "foo.fubar" and Word opens up. Same for Excel and other
    things.
    > >
    > > If the extension is known, it appears to try and use it. If not,
    it
    > > will look for OLE-extensions and launch what matches.
    >
    > It's the other way around -- if a file's extension is not registered
    > on the system trying to "run" (or "open") the file, depending on
    how
    > it is being "opened", some further checks than just "what is
    > registered to handle this extension" are made. One of those checks
    > determines whether the file is apparently internally an OLE2 file,
    > and if so the application registered to handle the CLSID of the
    root
    > directory entry in the OLE2 file is directed to open the file. If
    > that CLSID is also not registered then the usual "Open With..."
    > dialog appears. Another file type tested for in this process is
    the
    > DOS ("MZ") EXE format, which can be run "as normal", depending on
    the
    > "open" method used, depsite having been renamed to a non-EXE
    > extension.
    >
    > Thus, "http-equiv"'s discovery that a non-extensioned EXE could be
    > launched through one of these code execution holes is not all that
    > surprising...

    For clarity's sake, in this particular instance it was only the meta
    refresh that was non-extensioned.

    In the embedded folder we had / have:

    malware.exe
    malware [the mhtml file -- no extension]

    <META http-equiv=refresh content="1;
    &#13;&#10;url=file://C:\WINDOWS\Application
    Data\Qualcomm\Eudora\Embedded\malware">

    The refresh tag is pointing to malware -- what it does is skip over
    the non-extensioned mhtml file, and instead, open malware.exe
    directly. 

    --
http://www.malware.com