RE: AIM-based worm?

From: x x (km1xat_private)
Date: Fri Sep 27 2002 - 07:14:46 PDT

Next message: Troy Ablan: "Re: AIM-based worm?"

Previous message: De Velopment: "Re: AIM-based worm?"
Maybe in reply to: Troy Ablan: "AIM-based worm?"
Next in thread: skipperat_private: "Re: AIM-based worm?"
Next in thread: Ron Yount: "RE: AIM-based worm?"
Reply: skipperat_private: "Re: AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I dunno about the buddy list thing, but the inability to view the source in 
IE isn't surprising.  Note that the HTML below contains a META refresh that 
redirects you to the .com file.  Once this fires, the browser discards the 
HTML file containing the redirect and reqeusts the .com file.  When you 
cancel the download dialog and try to view source, there's nothing to see 
because the browser has no document loaded.  If you turn off Meta refresh 
before hitting the page, you'd see the HTML page below, and could view the 
source.

  -K


>A coworker of mine (Tim) recently found a buddy on his buddy list who he 
>didn't know (JDogg786).  When Tim sent a message to him/her, he got a 
>response back "Hmmmm.. http://24.74.206.239:8180/"
>
>When he clicked on the link, it took him to a page which redirected to a 
>download of a file ending in .com, which he promptly alerted me to and did 
>not run it.
>
>I tried to go to this link, it tried to download the file.  I hit cancel, 
>then I tried to view the source of the page.  From the View menu, or right 
>clicking on the page, and clicking View Source, nothing happened.
>
>I eventually got the source using wget, which is shown below.
>
>Question 1:  Is there a way a web page can add a buddy to your AIM list 
>without your knowledge?
>
>Question 2:  How was I prevented from viewing the source of the HTML page 
>in IE?
>
>I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well 
>for anyone who wants to look at it, just in case the above link does not 
>work any more.
>
>
>-- BEGIN SOURCE --
>
><html><head><title>Browser Plugin Requried</title><meta 
>http-equiv="refresh" content="1; 
>url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><bod
>y><h1>Browser Plugin Required:</h1><br>You may need to restart your browser 
>for changes to take affect.<br>Security Certificate by <a 
>href="http://www.verisign.com">Verisign</a> 2002.<br>MD5: 
>9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a 
>href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose 
>"Run" to install.</body></html>
>
>-- END SOURCE --

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Troy Ablan: "Re: AIM-based worm?"
Previous message: De Velopment: "Re: AIM-based worm?"
Maybe in reply to: Troy Ablan: "AIM-based worm?"
Next in thread: skipperat_private: "Re: AIM-based worm?"
Next in thread: Ron Yount: "RE: AIM-based worm?"
Reply: skipperat_private: "Re: AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 15:51:19 PDT