[20460] in bugtraq
Re: Double clicking on innocent looking files may be dangerous
daemon@ATHENA.MIT.EDU (Nicolas Gregoire)
Thu Apr 26 12:36:55 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AE7CEF9.22C8AC64@7thzone.com>
Date: Thu, 26 Apr 2001 09:32:09 +0200
Reply-To: Nicolas Gregoire <nicolas.gregoire@7THZONE.COM>
From: Nicolas Gregoire <nicolas.gregoire@7THZONE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> ==== CreditCard.txt.{FBF23B40-E3F0-101B-8488-00AA003E56F8} ====
> [InternetShortcut]
> URL=file://c:/command.com
> IconIndex=-152
> IconFile=shell32.dll
>
> ========================= END OF FILE =========================
>
> Now the file in explorer will be visible with normal
> .txt-file icon (you can change IconIndex and/or IconFile
> for other icon), and when someone clicks on it he thinks
> that's normal text file, but as the result of double-clicking
> MS-DOS Prompt will pop-up, without any confirmations(!!!).
Tried on Win98.
The MS-DOS prompt pop-up, but the icon is not the normal txt-file one.
It's the "link to a txt-file" icon (ie. the same as a "normal text-file"
but with a little arrow in the lower left corner).
But an non-vigilant user can be fooled ....
Nicob
