[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
From: "Geraldo Rivera" <iamafraud@xxxxxxxxxxx>
Date: Mon, 04 Oct 2004 09:47:08 -0400

themexp.org

I should have logged all the files and reg entries I deleted, but it was late at night and I wasn't really thinking about that at the time. I just checked my IE history for some of the things I googled and I found a bunch of them:

SahAgent.exe
webrebates0.exe
lu.dat
preInsln.exe
Systb.dll
wupdater.exe
eakrfu.exe
wupdt.exe
megasearch toolbar (www.megasearchbar.com)
IEPlugin
localnrd.dll
multimpp.dll

From: "Joel R. Helgeson" <joel@xxxxxxxxxxxx> To: "Geraldo Rivera" <iamafraud@xxxxxxxxxxx>,<full-disclosure@xxxxxxxxxxxxxxxx> Subject: Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box Date: Sun, 3 Oct 2004 14:13:52 -0500

What was the site?
Joel R. Helgeson
Director of Networking & Security Services
SymetriQ Corporation
"Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life." ----- Original Message ----- From: "Geraldo Rivera" <iamafraud@xxxxxxxxxxx> To: <full-disclosure@xxxxxxxxxxxxxxxx> Sent: Sunday, October 03, 2004 1:16 PM Subject: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
Last night I went to a site that I have been to on and off for years. The page loaded and then in IE's status bar I saw something suspicious: "installing components...atpartners.cab". I could not close out of IE, and I could not kill the iexplorer.exe process. It totally locked up and I had to reboot my machine. When my machine came back up, I had at least 6 different pieces of spyware/adware on my machine. IT took me almost 2 hrs to clean up. I manually deleted a bunch of crap (stuff I had found through the run key in the registry, suspicious processes running, suspicious files in the usual dir's, and by searching for all files modified at the time this happened). Even after all that, Ad-Aware found 143 entries (none were cookies, mostly registry entries and a few dll's) and then Spybot found an additional 2 registry entries.

This machine is a fully patched XP SP2 box, with the default security settings for IE's Internet Zone. Does anybody know what method this crap could be using to install without any user interaction?

_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
  - From: Matt Andreko

Prev by Date: [Full-Disclosure] [FLSA-2004:1324] Updated libxml2 resolves security vulnerability
Next by Date: RE: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
Previous by thread: Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
Next by thread: Re: [Full-Disclosure] Spyware installs with no interaction in IE on fully patched XP SP2 box
Index(es):
- Date
- Thread