I use Netscape, its a nice browser why not give it a shot. The only thing I don't like is that it EATS huge amounts of memory. It mem usage on my PC is currently 24, 984KB!
Posted on 2003-10-13 18:24:14 by x86asm
Thanks Ultrano for confirming there may have been something weird about that site. You seem to have gotten a virus from it? JimmyClif my fine friend, were your ears burning last night? They should have been, I've been grumbing about this since, heheh, your warnings need warnings ;)

I had gotten one of these hateful Spamgrams like this before that was running through the Messenger Service (SERVICE_WIN32), apparently a known exploit that uses the NET SEND command to intrude on your system. I think it too may have been from that stupid Evidence Eliminator or something very similar. The best defense is to make sure you're always running without that uneeded Messenger service active.


In this particular instance there seems to be the javascript popup and the disconcerting reading of your harddrive, which I gather is done here:

<script language="javascript">
document.write("<iframe src='file:///C:/' height=300 width=750 marginwidth=0 marginheight=0 scrolling=no frameborder=0 vspace=2>Loading content of hard drive ...</iframe>");
</script>


Would this be a simple javascript snippet that could perform the task of reading your harddrive?


Now this may only be a byproduct of that piece of code running, but while the original popup from the site was running in Opera (locking up the rest of the browser), I immediately went into debug mode and started exploring. The very strange thing about this javascript popup is that the handle of the main popup window was running under the Process ID of ADService.exe, this is the Iomega/AutoDisk _IOMEGA_ACTIVE_DISK_SERVICE (I have a Zip disk). I confirmed the window PID with a couple of Spy's and am fairly certain that particular service had just *recently* started up on my system for some reason.

I've since deactivated that Zip service just in case. I went back to the site to generate another popup and also checked from a copy on my harddrive, and the popup window now seems to run under the PID of Opera, which seems a bit more normal. Still I feel fairly certain that the PID of the popup window matched the PID of the ADService process, and the 5 threads under it, that was running at the time - I wasn't drinking or anything ;-). I don't know of any exploits using _IOMEGA_ACTIVE_DISK_SERVICE, but I did think this was worth mentioning. I will look into it further though.


<!-- Anyone who steals my design will have his account at evidence-eliminator terminated without payment and will get a lot of problems. I mean it! -->

I'd like to stick evidence-eliminator's design up their collective assets. I mean it!-->


Regards
Posted on 2003-10-13 22:38:38 by Kayaker
uhm... btw, i just wonder if i could know where those evil js run from. i can disable them, or make IE prompt me when it gonna execute one. but, i still cant find a way to make it tell me, from where the script its gonna execute at the time :( any idea?
Posted on 2003-10-14 06:32:49 by dion
Kayaker,

Nope, I didn't loose a second of sleep about it.. :grin: I wish I could check it back but I got IE 5.5 and nothing weird is happening, also with Opera everything seems alright. I also did a search on my harddrive for the keylogger file and came up with nothing. I just got all the usual process' running and I call that good. :tongue:

Not talking about my Mother in laws computer - last time I checked that thing it had (no kidding) thousands of spyware files, and several virii on it as her last virus definition files dated back something like 2 years ago. It's been almost a year since I cleaned that thing and I assume it's full to the brim with malicious content again. :) Whatever. She does her online shopping and everything and 'til now no one ever stole anything from her.

Well, anyways... Sorry again for causing some trouble. :o

JimmyClif
Posted on 2003-10-14 08:08:41 by JimmyClif
Just for the record, Iomega's ADService did Google up in a couple of places, mainly in relation to startup programs that might be on potential spyware / browser hijacking listings.

There's a freeware program called HijackThis that seems to give a good analysis of startup programs and browser "enhancements" that might be hiding some form of spamware, it might uncover a few things other anti-spyware programs and loving son-in-laws may miss :grin:

http://www.spywareinfo.com/~merijn/
http://www.spywareinfo.com/~merijn/htlogtutorial.html (log interpretation)

Kayaker
Posted on 2003-10-15 10:40:19 by Kayaker