Analysis of an Ecard Exploit Page

TKJunkMail Enjoy the sun Premium join:2002-03-03 Avalon, NJ ·Sprint Mobile Broa.. ·Comcast	reply to MagnusM Re: Analysis of an Ecard Exploit Page said by MagnusM : Ecard worm uses the MS06-006 Windows Media Player Plug-In EMBED Overflow Exploit to install the worm file on vulnerable systems. This means that unless you have KB911564 installed, you can get infected by just clicking the link in an Ecard email. What about Vista? The original exploit you ID'd is for XP. Is there a similar Vista exploit that needs patching? -- -- Internet News My BLOG My Web Page
	to forum · permalink · · 2007-08-13 19:12:39 ·
redwolfe_98 join:2001-06-11 ·RoadRunner Cable 2 edits	reply to MagnusM thanks, magnus.. i have been downloading a lot of those ecard.exe files and then uploading them to "virustotal", sometimes submitting them to av-vendors, as well.. today, i noticed that something was strange with the webpage where i was downloading another one of the ecard files from and i wanted someone to look at it, though i never contacted anyone about it.. i have been kind of paranoid because when i tried to download the ecard file, the first time, i clicked cancel but then it downloaded anyway, where "antivir" then flagged it.. (uhg) i didn't have all of my security-apps up at the time, either.. i wasn't able to find anything that indicated that my computer was infected by the malware.. i booted into safe mode and looked for the "spooldr.exe" and "spool.sys" files.. i also tried going through the same routine again, only with my other security-apps running to see if anything was flagged, but it wasn't.. the ecard files that i downloaded today would infect the cdrom.sys file instead of the tcpip.sys file.. i am glad that misec is at least looking into this zhelatin stuff.. as for checking for the patch, running the "belarc advisor" would be one way to do it, or (for me) to look at the update-history at the "windows updates" website.. belarc seems like the easy way to do it.. i deleted all of the windows updates log files, so i can't check those.. update: i just ran the "belarc advisor" and i can see that i have the update, according to the belarc advisor..
	to forum · permalink · · 2007-08-13 19:03:11 ·
dannyboy 950 Premium join:2002-12-30 Port Arthur, TX	reply to MagnusM Kinda odd doing a search I found a uninstall folder for it but not the file itself.
	to forum · permalink · · 2007-08-13 18:42:17 ·
Suggestion @bell.ca	reply to MagnusM Something along the lines of: 1] Click on "Start" 2] Then on "Search" In the left-hand viewer pane: 3] Click on the "Advanced Options" checkbox 4] In the text box "Search for files or folders named", type: *911564
	to forum · permalink · 2007-08-13 17:58:37 ·
MagnusM Premium join:2001-07-07	I just finished analyzing an Ecard exploit page; thought it might be interesting to some. Basically, the Ecard worm uses the MS06-006 Windows Media Player Plug-In EMBED Overflow Exploit to install the worm file on vulnerable systems. This means that unless you have KB911564 installed, you can get infected by just clicking the link in an Ecard email. The full analysis is available here: »blog.misec.net/2007/08/13/analys···it-page/ I also have a question that someone might be able to help answer: What is the easiest way a user can check if he has the KB911564 patch installed? In my analysis, I suggest checking for the presence of the file C:\Windows\KB911564.log -- perhaps someone can suggest a better way for less experienced users? (I deliberated whether to suggest "wmic qfe" in a Command Prompt, but I doubt many less computer-literate users will find it easy to do that.) -- Mischel Internet Security http://www.misec.net
	to forum · permalink · · 2007-08-13 17:36:46 ·


Wednesday, 02-Dec 21:50:47	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF