Re: what is this?

To: "Jose Nazario" <jose@xxxxxxxxxx>
Subject: Re: what is this?
From: "crazy frog crazy frog" <i.m.crazy.frog@xxxxxxxxx>
Date: Mon, 14 Jan 2008 21:26:59 +0530
Cc: Untitled <full-disclosure@xxxxxxxxxxxxxxxxx>, PenTest <pen-test@xxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=PH75dlXSPA9ZtBJqWQO2tzbSMz07OI9rPYtQvrkdP1s=; b=aS54w/D3C4D9/6CJ1EfttYUOTiWLwdYFhMk99qDViKlRywKMsdyAIoLkb71yJORSavp78YFQu4F40lvJSwcK+384qvvOJHDCBl8ol+zj/ProN94V8YjR0zkwXHYT1zeEiacmH67Gre3W5gr5WtDBEjBU7PvO5Nq7tMS6V/jyfbQ=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gUZDcxxhIckVV4yJcq484GsCTIxVs4Eg2r/9z8Z+EKCL5k38sCvST/Phn7gMmF253/VDJySxJ8Mqr7nXVCQhpayUHlM666kZXyyeV5FqlZS/0cXoe7m1wiQ4n6z2CHPCN95sbdcMjWBLt7fPxCE3OVf98mc40ZkzgarpBQHw4fk=
In-reply-to: <Pine.BSO.4.64.0801141040520.22957@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <41011d980801130801x67eb0243r6ed73ac8a16d0d2a@xxxxxxxxxxxxxx> <Pine.BSO.4.64.0801141040520.22957@xxxxxxxxxxxxxxxx>

yep ther eis one yahoo messenger exploit too.

On Jan 14, 2008 9:14 PM, Jose Nazario <jose@xxxxxxxxxx> wrote:
> On Sun, 13 Jan 2008, crazy frog crazy frog wrote:
>
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
>
> te file you sent here contains a bunch of embeded nulls (every other
> character is 00). stripping those out reveals ...
>
> that it's a collection of browser exploits. by the looks of it it's MPack
> and uses the heapspray slide stuff.
>
> the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
> as a local file c:\\mosvs8.exe and then run it.
>
>
> very common exploit scenario these days (but they usually have some form
> of js obfuscation going on).
>
> i hope this helps.
>
> ________
> jose nazario, ph.d.                 http://monkey.org/~jose/
>



-- 
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

References:
- what is this?
  - From: crazy frog crazy frog
- Re: what is this?
  - From: Jose Nazario

Prev by Date: [SECURITY] [DSA 1459-1] New gforge packages fix SQL injection
Next by Date: Re: what is this?
Previous by thread: Re: what is this?
Next by thread: RE: what is this?
Index(es):
- Date
- Thread