Re: AIM Password theft

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: AIM Password theft
From: "http-equiv@xxxxxxxxxx" <1@xxxxxxxxxxx>
Date: Wed, 24 Sep 2003 18:44:47 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: 1@xxxxxxxxxxx


<!-- 

 Out of curiosity I 
followed that link which loaded start.html (attached). 

 -->

Caution: off-site archives will and have already stored this as:

text/plain attachment: start.txt 

Tested on neohapsis 

[http://archives.neohapsis.com/archives/bugtraq/2003-09/0375.html]

Due to the 'never-addressed-mime-issue' of Internet Explorer reading 
even dog poo as html, opening start.txt will effect the exploit 
partialy. 

Namely:

 C:\Program Files\Windows Media Player\wmplayer.exe 

will be overwritten by simply viewing the attached text file.

It is apparent the original intended payload .exe is no longer at the 
location, but the wmplayer.exe is still overwritten with a 1KB 
wmplayer.exe containing the following:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /eg/1.exe was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.26 Server at onway.net Port 80</ADDRESS>
</BODY></HTML>




-- 
http://www.malware.com

Prev by Date: NULLhttpd <= 0.5.1 remote resources consumption
Next by Date: RE: [Fwd: Re: AIM Password theft] VU#865940
Previous by thread: RE: AIM Password theft
Next by thread: Privacy leak in VeriSign's SiteFinder service
Index(es):
- Date
- Thread