[35448] in bugtraq
Re: Unusual Activity in Ad-aware 6 Personal, Build 6.181
daemon@ATHENA.MIT.EDU (Steve Ryan)
Wed Jun 23 09:36:00 2004
Message-ID: <40D7D942.80900@internetcds.com>
Date: Tue, 22 Jun 2004 00:01:22 -0700
From: Steve Ryan <sirsteve@internetcds.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Cc: fedhead <fedhead@rogers.com>
In-Reply-To: <LIEKJLEBDKKNBDDGIJAAAEBECFAA.fedhead@rogers.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi,
Well, this is odd. I did not find any of those files you mentioned. I
didn't find a cache folder either. I updated Ad-Aware with the latest
definitions and then initiated a scan. It created a 'cache' folder
where you mentioned, although I didn't open it. I let it finish the
scan and then the 'cache' folder disappeared. I cleaned the 30 or so
'tracking cookies' it found and it created a cache folder again. I was
going to open it, but then I closed out Ad-Aware not even thinking and
the cache folder disappeared.
Then I opened Ad-aware, ran a scan.. it immediately created a 'cache'
folder but upon inspection, it's empty. I checked it multiple times
during the Ad-aware scan, and it stayed empty. This time upon
completion, before I could close Ad-aware, the 'cache' folder disappared.
Nothing unusual that I could find anyway.
Windows XP + SP1a + All critical/XP updates..
HTH.
fedhead wrote:
> Sorry about my previous post, Norton picked up the html code an filtered my
> e-mail. Here is the original post without the html flags
>
> Hello,
>
> Seems benign enough. Every night when it runs, after the first scan of the
> registry, it creates four files in the C:\Program Files\Lavasoft\Ad-Aware
> 6\cache folder which Norton AV catches as trojan scripts:
>
> exploit.chm
> installer.htm
> shellscript.js
> shellscript_loader.js
>
> In installer.htm, it appears to use one of the IE IFRAME exploits to
> download the java script files.
>
>
> The most unusual part is that it happens at the end of the registry scan in
> Ad-aware. A google search doesn't turn up any relation between this exploit
> and Ad-aware so it could be something unique to my system but at this point
> I am at a loss as to what it could be.
>
>
> Any info would be appreciated.
>
> Thanks,
> Matt
>
>
>
>
>
>
>
