<<< Date Index >>>     <<< Thread Index >>>

RE: Self-Executing FOLDERS: Windows XP Explorer Part V



Why don't we call a spade a spade? You renamed an HTML file from "My
Pics.html" to "My Pics.Folder", it's still an HTML file and not a folder.

In fact, except for the changed file extension this is simply just a repeat
of your previous post, "Self-Executing HTML: Internet Explorer 5.5 and 6.0
Part IV", except that the ".Folder" file extension is new to Windows XP and
makes the file have a folder icon.

When you open any file regardless of extension, Explorer tries to find the
proper application to open the file with. This involves inspecting the first
section of the files content and comparing it to a list of known signatures.
You can read about "MIME Type Detection in Internet Explorer" at

http://msdn.microsoft.com/workshop/networking/moniker/overview/appendix_a.asp

We already know that opening HTML files from the My Computer zone is
equivelant to opening an EXE file, given the executional rights provided by
the zone. The only solution to this is to lock down the My Computer zone
which I have been trying to advocate for some time now and Microsoft has now
promised to do in Service Pack 2 for Windows XP.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix <http://www.qwik-fix.net>

-----Original Message-----
From: http-equiv@xxxxxxxxxx [mailto:1@xxxxxxxxxxx]
Sent: Sunday, January 25, 2004 8:51 AM
To: NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx
Subject: Self-Executing FOLDERS: Windows XP Explorer Part V


Sunday, January 25, 2004


The following file is a 'folder' comprising both scripting and an executable
[*.exe].

We inject scripting and an executable into the 'folder' which is designed to
point back to the executable in the 'folder' and execute it. Provided the
'folder' is an html file, Windows XP Explorer will execute it.

Because it is an 'folder' proper, Windows Explorer opens it. The scripting
inside is then parsed and fired. That scripting is pointing back to the same
executable file and because it is a self-executing 'folder',  it executes !

Fully self-contained harmless *.exe.

Windows XP only:


http://www.malware.com/my.pics.zip


Be aware of 'folders' out there.



--
http://www.malware.com

-----
Editor's Note: The 43rd Most Powerful Person in Networking says...

Out of Office replies to list messages cause you to be unsubscribed
automatically. Either subscribe a Public Folder, or ensure your rules are
set to ensure list messages are filtered prior to your Out of Office reply.
Such automatic replies are a bane to posters, and cause us to have fewer
researchers post to NTBugtraq.
-----