[33254] in bugtraq
Re: Self-Executing FOLDERS: Windows XP Explorer Part V
daemon@ATHENA.MIT.EDU (mightye[removethis])
Mon Jan 26 14:11:39 2004
Message-ID: <40155470.1020300@mightye.org>
Date: Mon, 26 Jan 2004 12:54:56 -0500
From: "mightye[removethis]" <"mightye[removethis]"@mightye.org>
MIME-Version: 1.0
To: 1@malware.com
Cc: bugtraq@securityfocus.com, NTBugtraq@listserv.ntbugtraq.com
In-Reply-To: <200401251651.i0PGp0ZY012565@web178.megawebservers.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I get the following dialogue box on:
+ Windows XP SP1,
+ IE 6.0.2800.1106.xpsp2.030422-1633, Updates: SP1; Q822925; Q330994;
Q828750; Q825145
"Your current security settings prohibit running ActiveX controls on
this page. As a result, the page may not display correctly."
The site shows as being in My Computer zone. Since I can't change those
settings, my security settings for Internet are:
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disable
Initialize and script ActiveX controls not marked as safe: Disable
Run ActiveX controls and plugins: Enable
Script ActiveX controls marked safe for scripting: Enable
Internet Explorer / Windows Explorer (which ever it thinks it is) shows,
"Installing components...My%20Pics.folder!malware.exe" in the status bar
at the end of execution, though the exe was never run unless it was
designed to look like a regular IE dialogue.
-Eric "MightyE" Stevens
http://lotgd.net
To reply to me, please remove "[removethis]" from my email address.
http-equiv@excite.com wrote:
>Sunday, January 25, 2004
>
>
>The following file is a 'folder' comprising both scripting and
>an executable [*.exe].
>
>We inject scripting and an executable into the 'folder' which is
>designed to point back to the executable in the 'folder' and
>execute it. Provided the 'folder' is an html file, Windows XP
>Explorer will execute it.
>
>Because it is an 'folder' proper, Windows Explorer opens it. The
>scripting inside is then parsed and fired. That scripting is
>pointing back to the same executable file and because it is a
>self-executing 'folder', it executes !
>
>Fully self-contained harmless *.exe.
>
>Windows XP only:
>
>
>http://www.malware.com/my.pics.zip
>
>
>Be aware of 'folders' out there.
>
>
>
>
>
