Re: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
Didn't mean to have you apologize, it did it's job. It showed That I was not vulnerable. I just found it interesting that my AV called it something that could not be found through search. No worries Randall. =) I really should of warned about the possible AV warnings, as some might not understand what;s actually going on. (I've gotten a few emails like Ha! My antivirus stopped your ploy to infect me.) =P I can't explain it much better then I have. I figured that most people on this list would understand what was REALLY happening, but I should plan for as many scenarios as possible. This includes those that wouldn't understand what the virus warnings mean. Thanks for your clarification though Randall. Appreciate it. ;) -- Peace. ~G On Thu, 7 Oct 2004 06:02:02 -0500, RandallM [EMAIL PROTECTED] wrote: GuidoZ Didn't mean to have you apologize, it did it's job. It showed That I was not vulnerable. I just found it interesting that my AV called it something that could not be found through search. thank you Randall M |-Original Message- |From: GuidoZ [mailto:[EMAIL PROTECTED] |Sent: Thursday, October 07, 2004 1:16 AM |To: RandallM |Cc: [EMAIL PROTECTED] |Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest, |Vol 1 #1955 - 19 msgs | |It might be detected as Trojan.Moo or any other variant of |the JPEG exploit. As I said, it attempts to exploit the |system to see if it's vulnerable, using an infected JPG. |The file I provided is simply a SFX with a batch file and |the infecte JPG (named exploit.bak). No attempt has been |made at all to mask what's inside. | |I figured those that would want to use it would either not |worry about the virus warnings, or not get them at all and |REALLY need the fix it helps provide. =) Email me at the |address provided in my original email (exploit _AT_ guidoz |_DOT_ com) and I'll provide a link to the batch files and |such so you may modify them as you wish. | |Sorry for any confusion with the AV. I should of warned |about that in the original email. (Others have written me |asking the same question.) I only provided it to possibly |help others who have lots of friends asking them for help to |patch their systems. This simply sees if they are |vulnerable, then leads them through the steps to patch the |system if they are. (You may have to tell them to ignore AV |warnings, or disable the AV scanner. Again, I urge you to |test this on a NON-PRODUCTION machine first. See what it |contains, read the batch files, see what it downloads, etc.) | |Please feel free to ask me any questions. Hope it helps someone else. | |-- |Peace. ~G | | |On Wed, 6 Oct 2004 20:59:28 -0500, RandallM |[EMAIL PROTECTED] wrote: | | |--__--__-- | | | |Message: 14 | |Date: Wed, 6 Oct 2004 15:53:32 -0700 | |From: GuidoZ [EMAIL PROTECTED] | |Reply-To: GuidoZ [EMAIL PROTECTED] | |To: [EMAIL PROTECTED] | |Subject: [Full-Disclosure] Quick JPEG/GDI test fix |(timesaver) | | |Hello list, | |I wrote a very simple program/batch file | that tests for the JPEG |exploit, then if affected, provides | instructions on how to patch the |exploit. It has been |tested on my | own lil happy lab network, as well |as one one network |where I'm a | sysadmin. (Tested on Windows XP Home |and Pro, SP1a and |SP2.) | | |It DOES test for the exploit by attempting to use an |infected JPG | |which downloads the instructions for fixing it, if |exploited. By | |viewing the strings in the JPG, you can see the file it |downloads | and |check it out for yourself. It's clean. =) Just |contains a batch | file |and a program to launch the batch file. (The file |that gets | |downloaded |is a simple SFX.) Links are below. It contains a | warning saying it's |about to try to exploit the system |and to save | data in open programs. | |(It also warns that Explorer may crash.) | |I wrote |this merely | to save myself time and allow friends/family to |test their own | systems, then patch them without having to call me for ||help. It's | not been tested in every environment and in every |scenario. | |If you find a problem, feel free to email me (exploit |_AT_ guidoz | |_DOT_ com) Obviously I'm not responsible if it's abused ||somehow, | or if |it breaks something, etc. Feel free to modify it |to suit your | own |needs, but use it at your own risk. | | | |Test can be downloaded from here: | |http://www.guidoz.com/exploit-test.exe | | | |Again, it's just an SFX archive with a batch file. Hopefully it | will |save someone else some time. I've used it to have | friends/family (and |a few clients) patch a total of |around 30 machines without problems. | | | |-- | |Peace. ~G | | | | | |--__--__-- | | | |End of Full-Disclosure Digest | | | | Well, guess I'm safe. McAfee saw it as |Exploit-MntRedir.gen and said...NO! | I googled it and it found nothing though. Thought it would atleast | lead me to McAfee. McAfee search said
Re: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
RandallM wrote: ---8--- |Test can be downloaded from here: |http://www.guidoz.com/exploit-test.exe ---8--- Well, guess I'm safe. McAfee saw it as Exploit-MntRedir.gen and said...NO! McAfee Virusan Enterprise 7.1 recognized exploit-test.exe as 'Exploit-MS04-028'. Engine is 4.3.20, DAT-file is 4397. GTi ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
It might be detected as Trojan.Moo or any other variant of the JPEG exploit. As I said, it attempts to exploit the system to see if it's vulnerable, using an infected JPG. The file I provided is simply a SFX with a batch file and the infecte JPG (named exploit.bak). No attempt has been made at all to mask what's inside. I figured those that would want to use it would either not worry about the virus warnings, or not get them at all and REALLY need the fix it helps provide. =) Email me at the address provided in my original email (exploit _AT_ guidoz _DOT_ com) and I'll provide a link to the batch files and such so you may modify them as you wish. Sorry for any confusion with the AV. I should of warned about that in the original email. (Others have written me asking the same question.) I only provided it to possibly help others who have lots of friends asking them for help to patch their systems. This simply sees if they are vulnerable, then leads them through the steps to patch the system if they are. (You may have to tell them to ignore AV warnings, or disable the AV scanner. Again, I urge you to test this on a NON-PRODUCTION machine first. See what it contains, read the batch files, see what it downloads, etc.) Please feel free to ask me any questions. Hope it helps someone else. -- Peace. ~G On Wed, 6 Oct 2004 20:59:28 -0500, RandallM [EMAIL PROTECTED] wrote: |--__--__-- | |Message: 14 |Date: Wed, 6 Oct 2004 15:53:32 -0700 |From: GuidoZ [EMAIL PROTECTED] |Reply-To: GuidoZ [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] Quick JPEG/GDI test fix (timesaver) | |Hello list, | |I wrote a very simple program/batch file that tests for the JPEG |exploit, then if affected, provides instructions on how to patch the |exploit. It has been tested on my own lil happy lab network, as well |as one one network where I'm a sysadmin. (Tested on Windows XP Home |and Pro, SP1a and SP2.) | |It DOES test for the exploit by attempting to use an infected JPG |which downloads the instructions for fixing it, if exploited. By |viewing the strings in the JPG, you can see the file it downloads and |check it out for yourself. It's clean. =) Just contains a batch file |and a program to launch the batch file. (The file that gets |downloaded |is a simple SFX.) Links are below. It contains a warning saying it's |about to try to exploit the system and to save data in open programs. |(It also warns that Explorer may crash.) | |I wrote this merely to save myself time and allow friends/family to |test their own systems, then patch them without having to call me for |help. It's not been tested in every environment and in every |scenario. |If you find a problem, feel free to email me (exploit _AT_ guidoz |_DOT_ com) Obviously I'm not responsible if it's abused |somehow, or if |it breaks something, etc. Feel free to modify it to suit your own |needs, but use it at your own risk. | |Test can be downloaded from here: |http://www.guidoz.com/exploit-test.exe | |Again, it's just an SFX archive with a batch file. Hopefully it will |save someone else some time. I've used it to have friends/family (and |a few clients) patch a total of around 30 machines without problems. | |-- |Peace. ~G | | |--__--__-- | |End of Full-Disclosure Digest | Well, guess I'm safe. McAfee saw it as Exploit-MntRedir.gen and said...NO! I googled it and it found nothing though. Thought it would atleast lead me to McAfee. McAfee search said: We found no records matching the following criteria: Virus name containing MntRedir.gen. Please try narrowing your search by using fewer characters. What gives? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
GuidoZ Didn't mean to have you apologize, it did it's job. It showed That I was not vulnerable. I just found it interesting that my AV called it something that could not be found through search. thank you Randall M |-Original Message- |From: GuidoZ [mailto:[EMAIL PROTECTED] |Sent: Thursday, October 07, 2004 1:16 AM |To: RandallM |Cc: [EMAIL PROTECTED] |Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest, |Vol 1 #1955 - 19 msgs | |It might be detected as Trojan.Moo or any other variant of |the JPEG exploit. As I said, it attempts to exploit the |system to see if it's vulnerable, using an infected JPG. |The file I provided is simply a SFX with a batch file and |the infecte JPG (named exploit.bak). No attempt has been |made at all to mask what's inside. | |I figured those that would want to use it would either not |worry about the virus warnings, or not get them at all and |REALLY need the fix it helps provide. =) Email me at the |address provided in my original email (exploit _AT_ guidoz |_DOT_ com) and I'll provide a link to the batch files and |such so you may modify them as you wish. | |Sorry for any confusion with the AV. I should of warned |about that in the original email. (Others have written me |asking the same question.) I only provided it to possibly |help others who have lots of friends asking them for help to |patch their systems. This simply sees if they are |vulnerable, then leads them through the steps to patch the |system if they are. (You may have to tell them to ignore AV |warnings, or disable the AV scanner. Again, I urge you to |test this on a NON-PRODUCTION machine first. See what it |contains, read the batch files, see what it downloads, etc.) | |Please feel free to ask me any questions. Hope it helps someone else. | |-- |Peace. ~G | | |On Wed, 6 Oct 2004 20:59:28 -0500, RandallM |[EMAIL PROTECTED] wrote: | | |--__--__-- | | | |Message: 14 | |Date: Wed, 6 Oct 2004 15:53:32 -0700 | |From: GuidoZ [EMAIL PROTECTED] | |Reply-To: GuidoZ [EMAIL PROTECTED] | |To: [EMAIL PROTECTED] | |Subject: [Full-Disclosure] Quick JPEG/GDI test fix |(timesaver) | | |Hello list, | |I wrote a very simple program/batch file | that tests for the JPEG |exploit, then if affected, provides | instructions on how to patch the |exploit. It has been |tested on my | own lil happy lab network, as well |as one one network |where I'm a | sysadmin. (Tested on Windows XP Home |and Pro, SP1a and |SP2.) | | |It DOES test for the exploit by attempting to use an |infected JPG | |which downloads the instructions for fixing it, if |exploited. By | |viewing the strings in the JPG, you can see the file it |downloads | and |check it out for yourself. It's clean. =) Just |contains a batch | file |and a program to launch the batch file. (The file |that gets | |downloaded |is a simple SFX.) Links are below. It contains a | warning saying it's |about to try to exploit the system |and to save | data in open programs. | |(It also warns that Explorer may crash.) | |I wrote |this merely | to save myself time and allow friends/family to |test their own | systems, then patch them without having to call me for ||help. It's | not been tested in every environment and in every |scenario. | |If you find a problem, feel free to email me (exploit |_AT_ guidoz | |_DOT_ com) Obviously I'm not responsible if it's abused ||somehow, | or if |it breaks something, etc. Feel free to modify it |to suit your | own |needs, but use it at your own risk. | | | |Test can be downloaded from here: | |http://www.guidoz.com/exploit-test.exe | | | |Again, it's just an SFX archive with a batch file. Hopefully it | will |save someone else some time. I've used it to have | friends/family (and |a few clients) patch a total of |around 30 machines without problems. | | | |-- | |Peace. ~G | | | | | |--__--__-- | | | |End of Full-Disclosure Digest | | | | Well, guess I'm safe. McAfee saw it as |Exploit-MntRedir.gen and said...NO! | I googled it and it found nothing though. Thought it would atleast | lead me to McAfee. McAfee search said: | | We found no records matching the following criteria: | Virus name containing MntRedir.gen. | Please try narrowing your search by using fewer characters. | | What gives? | | thank you | Randall M | | ___ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs
|--__--__-- | |Message: 14 |Date: Wed, 6 Oct 2004 15:53:32 -0700 |From: GuidoZ [EMAIL PROTECTED] |Reply-To: GuidoZ [EMAIL PROTECTED] |To: [EMAIL PROTECTED] |Subject: [Full-Disclosure] Quick JPEG/GDI test fix (timesaver) | |Hello list, | |I wrote a very simple program/batch file that tests for the JPEG |exploit, then if affected, provides instructions on how to patch the |exploit. It has been tested on my own lil happy lab network, as well |as one one network where I'm a sysadmin. (Tested on Windows XP Home |and Pro, SP1a and SP2.) | |It DOES test for the exploit by attempting to use an infected JPG |which downloads the instructions for fixing it, if exploited. By |viewing the strings in the JPG, you can see the file it downloads and |check it out for yourself. It's clean. =) Just contains a batch file |and a program to launch the batch file. (The file that gets |downloaded |is a simple SFX.) Links are below. It contains a warning saying it's |about to try to exploit the system and to save data in open programs. |(It also warns that Explorer may crash.) | |I wrote this merely to save myself time and allow friends/family to |test their own systems, then patch them without having to call me for |help. It's not been tested in every environment and in every |scenario. |If you find a problem, feel free to email me (exploit _AT_ guidoz |_DOT_ com) Obviously I'm not responsible if it's abused |somehow, or if |it breaks something, etc. Feel free to modify it to suit your own |needs, but use it at your own risk. | |Test can be downloaded from here: |http://www.guidoz.com/exploit-test.exe | |Again, it's just an SFX archive with a batch file. Hopefully it will |save someone else some time. I've used it to have friends/family (and |a few clients) patch a total of around 30 machines without problems. | |-- |Peace. ~G | | |--__--__-- | |End of Full-Disclosure Digest | Well, guess I'm safe. McAfee saw it as Exploit-MntRedir.gen and said...NO! I googled it and it found nothing though. Thought it would atleast lead me to McAfee. McAfee search said: We found no records matching the following criteria: Virus name containing MntRedir.gen. Please try narrowing your search by using fewer characters. What gives? thank you Randall M ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
