Results 1 to 8 of 8

Thread: virus threat

  1. #1
    Junior Member
    Join Date
    Feb 2002

    virus threat

    please this seems lame but i need help for my computers which are in a network. I have been subjected to the whims and caprices of a virus i cannot define......this is the extention....'xwav.eml.exploit'

  2. #2
    Um, I'm not familiar with that file, but what kind of loser would name his/her virus with a .exploit extension? The only thing I can suggest is to get a good virus scanner and a good firewall. I'm not familiar with that specific virus so I can't help any more than that.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    GreyMagic Security Advisory GM#002-IE
    By GreyMagic Software, Israel.
    22 Mar 2002.
    Topic: Automatically opening IE + Executing attachments.

    Discovery date: 15 Mar 2002.

    Affected applications:
    Any application that hosts the WebBrowser control is affected since this exploit does not require Active Scripting or ActiveX. Some of these applications are:

    Qualcomm Eudora
    Microsoft Outlook
    Microsoft Outlook Express
    This advisory contains two issues, but since they are closely linked together it was decided to release it as one.

    The focus will be on the more generic issue, the ability to open the Microsoft Internet Explorer application and have it fetch a URL regardless of the zone in which the user resides or the application in use.

    WMV/WMA stands for Windows Media Video/Audio. It is a proprietary format developed by Microsoft for video/audio streaming (also available for offline uses).

    WMV/WMA generally plays under Windows Media Player and has the ability to include a form of script that lets developers control various aspects of the movie.

    One of the available script features is the URL command, which enables the player to open a URL at a specific time in the media's timeline.

    This means that even if it is played in the "Restricted zone", it can easily open a URL in the "Internet zone" or any other zones in which a URL is known to exist and of which the attacker has control over.

    A few methods are available for playing WMV/WMA on a web page:

    Windows Media Player, which requires use of the <object> element - isn't usable in the "Restricted zone".
    The <embed> element, which is sometimes filtered out (see Eudora).
    The dynsrc property of the <img> element.
    And more...
    A good example of where this issue is dangerous is when an attacker knows the path to attached files.

    Eudora is a popular email client; by default it uses the WebBrowser control for viewing email messages. However, it attempts to secure itself by filtering out elements such as <iframe>, <object>, <embed>, etc.

    Eudora stores its attachments (by default) in "C:/Program Files/Qualcomm/Eudora/Attach", an attacker is likely to guess other paths to Eudora, such as different drive letters or similar minor changes.

    When an email is sent to Eudora containing the following HTML content:

    a { display:none; }
    Hello, Eudora.
    <xml:namespace prefix="t"/>
    <t:video style="display:none;behavior:url(#default#time);" t:src="file://C:/Progra~1/Qualcomm/Eudora/Attach/gmlaunch.wmv"/>

    And the following attachments:

    gmlaunch.wmv (~4 KB)
    gmbind.html (~1 KB)
    The following chain of events occurs:

    The victim receives the email, Eudora automatically copies all attachments to "C:/Program Files/Qualcomm/Eudora/Attach" immediately.
    The victim clicks on the email in order to delete it or view it in the preview pane.
    The HTML in the email renders, the style sheet removes any sign of the attached files (Eudora shows them as <a> elements), the only indication the victim has to the fact there are attached files is the little icon next to the message.
    The <t:video> element causes the attached "gmlaunch.wmv" to play, the victim sees no sign of any media playing thanks to the display style attribute.
    "gmlaunch.wmv" opens Microsoft Internet Explorer and points it at the attached "gmbind.html".
    "gmbind.html" (now in the "My Computer zone") immediately issues a "blur()" DOM command, increasing the chance of the victim not to notice it.
    "gmbind.html" then continues to include an <object> element with its codebase attribute pointing at the attached "malicious.exe".
    "malicious.exe" is executed, the attacker now has full control over the victim's computer.
    All this happens in less than 2 seconds, there is hardly anything the user can do to prevent this chain reaction once the email is viewed.

    This exploit is not limited to Eudora in any way and can be utilized in any application that uses the WebBrowser control (even in the "Restricted zone") and has a predictable path to attached files.

    Confirmed to work with Qualcomm Eudora 5.1, prior versions may be affected as well.


    It's theoretically possible to do the same with Outlook and Outlook Express by using the cid: protocol instead of the known path. When the URL that "gmlaunch.wmv" tries to open is relative (i.e: "some.html" instead of "file://c:/some.html") it is opened relatively to the folder which contains "gmlaunch.wmv" - the Temporary Internet Files folder in this case.

    The rest is pretty similar from there on, except that some well-known trickery is needed in order to put the attached files in the temporary files folder and that some more scripting is needed on the opened HTML in order to parse the path and inject it to the <object> element.

    However, we did not have time to fully test the above with Outlook.

    Eudora users: Do not use the WebBrowser control to view messages, go to Tools -> Options -> Viewing Mail, uncheck "Use Microsoft's viewer". You could also change the attachments folder to something unique.

    Vendors using the WebBrowser control: Under no circumstances use predictable paths for foreign attachments.

    Microsoft was first informed on 17 Mar 2002, they have opened an investigation regarding this issue.
    Qualcomm was informed on the same day, we did not receive a reply.

    Tested on:
    The following tested applications all automatically open Microsoft Internet Explorer as a result of running WMV/WMA.

    Microsoft Internet Explorer 5/5.5/6.
    Qualcomm Eudora 5.1, "Sponsored mode".
    Microsoft Outlook Express 5/6.
    Microsoft Outlook 2000.
    Maybe it's something to do with that perhaps?

  4. #4
    it's not a virus it's an ack trojan ive had that before too what it does is give the hacker access to the command prompt on all of the systems connected to the network. If i were you I would get a good virus scanner like panda or norton and get that thing out before you get fried by your friendly neighborhood hacker. Then get a good firewall like blackice or zonealarm and rig it up with a program like x-force and portscanning detection software you should be safe for a long time if youre careful

  5. #5
    Junior Member
    Join Date
    Feb 2002
    Thanks but Neither Norton nor Panda are able to deal with it.......

  6. #6
    deal with it? does that mean clean/delete it? if its a trojan server file than get a trojan scanner like Tauscan which you can get at do you have an antivirus program? because Norton or Panda (updated defs)would have been able to get rid of it as soon as it came in contact with your computer. even if it is a trojan. visit (Nortons virus encyclopedia) and search for the extension name to see what virus it is, what it does, and how to manually remove it.

  7. #7
    Join Date
    Mar 2002
    Just like Ryan Nyquist said, visit and it should have information on what this trojan does and how to manually remove it.

  8. #8
    Junior Member
    Join Date
    Feb 2002
    thanks for the information

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts