[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: what is this?
yep ther eis one yahoo messenger exploit too.
On Jan 14, 2008 9:14 PM, Jose Nazario <jose@xxxxxxxxxx> wrote:
> On Sun, 13 Jan 2008, crazy frog crazy frog wrote:
> > http://secgeeks.com/what.zip
> > password is 12345
> > can somebody guide/help me what is this and how can i remove it?
> te file you sent here contains a bunch of embeded nulls (every other
> character is 00). stripping those out reveals ...
> that it's a collection of browser exploits. by the looks of it it's MPack
> and uses the heapspray slide stuff.
> the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead)
> as a local file c:\\mosvs8.exe and then run it.
> very common exploit scenario these days (but they usually have some form
> of js obfuscation going on).
> i hope this helps.
> jose nazario, ph.d. http://monkey.org/~jose/
advertise on secgeeks?