Re: Double clicking on innocent looking files

From: Uidam, T (Tim) (Tim.Uidamat_private)
Date: Thu Apr 19 2001 - 23:32:45 PDT

Next message: Knud Erik Højgaard: "Re: msn messenger"

Previous message: Justin Ellison: "Re: Hijack IP Address using cable modem (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Very interesting!

I wonder what would happen if you called it
DEFAULT.htm.{00000303-0000-0000-C000-000000000046}, and copied it to the
root of your IIS web server... would it jack the CPU usage up on the
web-server? I haven't got an IIS test-bed that I can try this on :(

I've also had a play around with some other CLSID types, particularly the MS
EXCEL and IE HTML ones... Nothing *APPEARS* to launch the executable
properly. Although IE does display the entire filename including the CLSID
in the address bar, if you use the CLSID for *.GIF file types,
{25336920-03F9-11cf-8FD0-00AA00686F13}.

I'm trying to investigate what the possibility is of launching a vbscript
(or similar) in this way... or, having the file launch IE which in turn
launches another file on the system...

Interestingly enough, i've been testing the ILOVEYOU.VBS virus with Mcafee
4.0.2, without scanning the *.{* extension [AV4.0.2 can't add file
extensions with the "{" or "}" characters in them :( ] and WITH scanning
*.vbs extensions... The scanner ONLY picked up the virus when scanning ALL
FILES is enabled, and completely missed it when Scanning the files in it's
extensions list.... this was most dissapointing, but not unexpected :(

Anyway, way still we're enabling scanning for *.{* files on our network! :)

Regards,
Tim Uidam
Systems Support
Rabobank OC

-----Original Message-----
From: Frank Heyne [mailto:fhat_private-DRESDEN.DE]
Sent: Wednesday, 18 April 2001 19:10
To: BUGTRAQat_private
Subject: Re: Double clicking on innocent looking files


On 17 Apr 01, at 10:36, Philip Stoev wrote:

> maybe other tricks are possible with a carefully-chosen CLSID.

How about this:

1. Copy an exe file of your choice into a public directory like c:\temp

2. Rename this file to
OurAdminIsStupid.htm.{00000303-0000-0000-C000-000000000046}

3. The exe will now show the icon of an html file
   (but not the correct type description)

4. When your curious Admin double clicks the file, CPU usage
   will go up to 100 %, and it seems to be impossible to
   stop this with task manager

Works with NT 4 SP 6a + IE 5.5

Greetings

Frank Heyne

==================================================================
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==================================================================
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.


==================================================================

Next message: Knud Erik Højgaard: "Re: msn messenger"
Previous message: Justin Ellison: "Re: Hijack IP Address using cable modem (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 09:04:27 PDT