New Worm via IE Object Data Exploit
Results 1 to 4 of 4

Thread: New Worm via IE Object Data Exploit

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    New Worm via IE Object Data Exploit

    Yeah, I've had quite a fun day here....

    Look out for this little bugger as I have got this infection at one site already.

    http://www.europe.f-secure.com/v-descs/delude.shtml

    Snip:

    NAME: Delude
    ALIAS: Trojan.BAT.Startpage.a

    Delude is a trojan that is available on a web page. The web page contains a code that uses a vulnerability in the Internet Explorer (MS03-032) to execute.

    More information about the vulnerability, including a fix, is available from Microsoft at: http://www.microsoft.com/security/se...s/ms03-032.asp
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    let me ask you, how did they wind up at the bad page to begin with? did someone send them a link or did you just get the standard reply...idonknow

    i can see how a batch file can download a file via ftp and execute it but how does it change the start page. unless it writes and calls a wsh script.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    We got a few responses. Some were honest and said they clicked on one of those online "win a prize" or "go here because you are a winner". Others said they received a "wierd" e-mail and clicked on the link (which makes the most sense to me). Others lied and said that they didn't do anything.

    So far we have seen several variations of this. Some point to NS1.AOL.COM and crash IE when you try to run media player within IE. This one is removed easily with SpyBot but there are a few other variations that point to other name servers and also add host file entries, etc.

    Whatever this is, it is quite nasty. The virus link I posted, while not "hot off the press" seems to be at very least related to the new variations we have seen over the past few days.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Banned
    Join Date
    Aug 2003
    Posts
    130
    What is the script written in?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides