> I made the sad mistake of clicking on the link that Jay sent to read more > and did get the virus. I don't think I am infected, as Norton did a full > scan when I rebooted and found the virus and quarantined it. But it was > found in an odd location (or at least I think so, but maybe not since I got > it from the link) i clicked this link and it offered to save or open.. .exe i generaly choose "save" and did so to my desktop where I analized the live binary.. no fear of infection here ( a bad double click does me in tho.. ) alas.. I run NO AV on my box > > Here is where it was: doc and settings\administrator\local\Temporary > Internet Files\Content IE5\RRLJFH08 IE downloads tempory files here.. try this click on a link for anything "downloadable" like .exe .zip when the dialog offers to open.. do so ( i check out known clean .zip archives like this at times ) close the winzip dialog box browse to c:\documents and settings\youruser\localsettings\Temporary Internet Files\Content IE5\SOMESTRINGHERE and sort by date... you should see you file that you opened and closed still exists... in its entirety i belive this was used sucessfully in the .chm exploit by predicting the tmp location of a file hope this helps Donnie Werner morning_woodat_private http://exploitlabs.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 13:07:09 PDT