Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Dropper in web page?

Reply
Thread Tools

Dropper in web page?

 
 
Piotr Makley
Guest
Posts: n/a
 
      04-08-2004
I download a zipped file from the Usenet. Inside was an html file.

My AV software said it contained "dropper.runme". When i looked
this up on the net I found this:

http://www.avp.ch/avpve/multip2/navrhar.stm

But i can't see how a virus or trojan dropper could work when I
look at an html file with my browser. Can someone explain this to
me please.
 
Reply With Quote
 
 
 
 
null@zilch.com
Guest
Posts: n/a
 
      04-08-2004
On Thu, 08 Apr 2004 12:10:24 +0100, Piotr Makley <(E-Mail Removed)>
wrote:

>I download a zipped file from the Usenet. Inside was an html file.
>
>My AV software said it contained "dropper.runme". When i looked
>this up on the net I found this:
>
>http://www.avp.ch/avpve/multip2/navrhar.stm
>
>But i can't see how a virus or trojan dropper could work when I
>look at an html file with my browser. Can someone explain this to
>me please.


Browsers, like any software, can have design flaw vulnerabilities.
With browsers, there are also scripting vulnerabilities. Particularly
in the case of IE, if you have activex enabled, you are just asking
for a web site to take control of your PC.

Use a alternate browser to minimize the risks. Mozilla or Moz based
browsers are recommended. Opera is another alternative.


Art
http://www.epix.net/~artnpeg
 
Reply With Quote
 
 
 
 
JJ
Guest
Posts: n/a
 
      04-08-2004
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:

>>I download a zipped file from the Usenet. Inside was an html
>>file.
>>
>>My AV software said it contained "dropper.runme". When i
>>looked this up on the net I found this:
>>
>>http://www.avp.ch/avpve/multip2/navrhar.stm
>>
>>But i can't see how a virus or trojan dropper could work when
>>I look at an html file with my browser. Can someone explain
>>this to me please.

>
> Browsers, like any software, can have design flaw
> vulnerabilities. With browsers, there are also scripting
> vulnerabilities. Particularly in the case of IE, if you have
> activex enabled, you are just asking for a web site to take
> control of your PC.


How do I disable Active-X in IE?
 
Reply With Quote
 
kulm_nd
Guest
Posts: n/a
 
      04-08-2004
Open IE, click on TOOLS|Internet Options and then click Security tab. Click
on Internet and then click on Custom Level. There is an ActiveX area to set
what you want.

--

************************************************

g-w


"JJ" <(E-Mail Removed)> wrote in message
news:94C5ACE56C65753F89A@130.133.1.4...
> (E-Mail Removed) wrote:
>
> >>I download a zipped file from the Usenet. Inside was an html
> >>file.
> >>
> >>My AV software said it contained "dropper.runme". When i
> >>looked this up on the net I found this:
> >>
> >>http://www.avp.ch/avpve/multip2/navrhar.stm
> >>
> >>But i can't see how a virus or trojan dropper could work when
> >>I look at an html file with my browser. Can someone explain
> >>this to me please.

> >
> > Browsers, like any software, can have design flaw
> > vulnerabilities. With browsers, there are also scripting
> > vulnerabilities. Particularly in the case of IE, if you have
> > activex enabled, you are just asking for a web site to take
> > control of your PC.

>
> How do I disable Active-X in IE?



 
Reply With Quote
 
Anti_Freak_Machine
Guest
Posts: n/a
 
      04-08-2004
Piotr Makley said...
> I download a zipped file from the Usenet. Inside was an html file.
>
> My AV software said it contained "dropper.runme". When i looked
> this up on the net I found this:
>
> http://www.avp.ch/avpve/multip2/navrhar.stm
>
> But i can't see how a virus or trojan dropper could work when I
> look at an html file with my browser. Can someone explain this to
> me please.
>


Did the html file open a webpage with a MS Word document imbedded
inside?
--
Super Mike
"Mi asno querría un enano y un yate, por favor."
[My donkey would like a midget and a yacht, please.]
 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a
 
      04-09-2004

"kulm_nd" <(E-Mail Removed)> wrote in message newsJedc.52093$(E-Mail Removed) om...
> Open IE, click on TOOLS|Internet Options and then click Security tab. Click
> on Internet and then click on Custom Level. There is an ActiveX area to set
> what you want.


All fine, well, and good, but the problem is that an unzipped
HTML file could easily be running in the "My Computer"
security zone which isn't (by default) listed as a zone that
can be configured as you have suggested. The same HTML
in usenet would be in the restricted zone on my system, in
the internet zone (which I have tweaked somewhat) if I
viewed it while browsing. There are some registry hacks
which can add a tab to the zone listing for the local "My
Computer" zone, or to manually set that zone for greater
security.

Some information is here:

http://support.microsoft.com/default...;en-us;q182569

Others should be able to supply more info if needed.


 
Reply With Quote
 
johns
Guest
Posts: n/a
 
      04-09-2004
Gee! An intelligent discussion for once! Amazing!

Use a combo of f-secure or McAffee ( NOT symantec )
and Pop-Up-Stopper to keep Javascript turned off.
That will stop these things. A firewall will have no effect
whatsoever. This was an example of a very old one.
We've got easily 6 years worth of improvement in these
things coming at us every day. NOTE: AdAware and
Spybot cannot detect or remove these "droppers". All
they will do is detect the reinfect that occurs after they
so-called "clean" your system. If you get one of the
commercial ( scumware like Bargain Buddy ) versions,
the best protection is a disk imaging program ( and
at least an 80 gig drive ) that can simply write over
everything and restore your system. I use PowerQuest
2002 ... but I believe Symantec just bought them out.
Hopefully, Symantec will get a clue and follow their
lead. Symantec certainly can't write a decent program
anymore. They really need to get PeterN back. Most
of these "droppers" are not viruses anymore. They
are commercial ad-ware and homepage hi-jackers,
and they are very sophisticated ... and nasty to clean.
You have to clean them manually by searching on
dates and then running AdAware over and over until
the stuff stops re-infecting. Takes all day to do that,
plus a little luck. Reimaging takes maybe an hour at
most, and you are back up clean as a whistle, and
all you had to do was go get a cup of coffee.

johns


 
Reply With Quote
 
Piotr Makley
Guest
Posts: n/a
 
      04-10-2004
"johns" <(E-Mail Removed)> wrote:

> Use a combo of f-secure or McAffee ( NOT symantec )
> and Pop-Up-Stopper to keep Javascript turned off.
> That will stop these things. A firewall will have no effect
> whatsoever. This was an example of a very old one.
> We've got easily 6 years worth of improvement in these
> things coming at us every day. NOTE: AdAware and
> Spybot cannot detect or remove these "droppers". All
> they will do is detect the reinfect that occurs after they
> so-called "clean" your system.


Johns, what sort of payload can a Javascript program release which
might cause me damage. For example, can it put a program on my
hard drive?

And secondly, can it run the program (or get the system to run it
at boot up) *without* my intervention? In others words without me
double-clicking on something to start it off.


> If you get one of the
> commercial ( scumware like Bargain Buddy ) versions,
> the best protection is a disk imaging program ( and
> at least an 80 gig drive ) that can simply write over
> everything and restore your system. I use PowerQuest
> 2002 ... but I believe Symantec just bought them out.
> Hopefully, Symantec will get a clue and follow their
> lead. Symantec certainly can't write a decent program
> anymore. They really need to get PeterN back. Most
> of these "droppers" are not viruses anymore. They
> are commercial ad-ware and homepage hi-jackers,
> and they are very sophisticated ... and nasty to clean.
> You have to clean them manually by searching on
> dates and then running AdAware over and over until
> the stuff stops re-infecting. Takes all day to do that,
> plus a little luck. Reimaging takes maybe an hour at
> most, and you are back up clean as a whistle, and
> all you had to do was go get a cup of coffee.

 
Reply With Quote
 
FromTheRafters
Guest
Posts: n/a
 
      04-10-2004

"Piotr Makley" <(E-Mail Removed)> wrote in message news:94C57BD59192831E75@130.133.1.4...
> I download a zipped file from the Usenet. Inside was an html file.


In this context, a "wepage" and an "html file" might not be the same
thing.

> My AV software said it contained "dropper.runme". When i looked
> this up on the net I found this:
>
> http://www.avp.ch/avpve/multip2/navrhar.stm


Does this description match what you have observed?

> But i can't see how a virus or trojan dropper could work when I
> look at an html file with my browser. Can someone explain this to
> me please.


It is a matter of the security settings the html content is allowed to
run in. Scripting and ActiveX allowed to run when the "html file"
resides in the "My Computer" zone of some Windows versions
may give different results than the same content "webpage" residing
in the "Restricted" or "Internet" zone - depending on the settings of
those zones.


 
Reply With Quote
 
johns
Guest
Posts: n/a
 
      04-12-2004

> Johns, what sort of payload can a Javascript program release which
> might cause me damage. For example, can it put a program on my
> hard drive?


It can put a program right in startup, and run every time
you boot up ... worse, it can put a line in the registry to
startup on boot. When you "look" at code, you are
running it. When you are browsing, you are looking
at code. The code runs according to where it is
addressed .. and that is the entire thing. If the address
is malicious, too bad. That is why computers are so
easy to hack. If an email written in html contained
something as simple as ( not exact ... %20 %20 ),
and you "looked" at it, your computer would reboot.
You can name a file on your desktop that same
name, and if you click on it, your computer will
reboot. There's another one that I've seen try to
get to the hdrive media descriptor byte. That hard
drive won't boot again .. period .. an oldie but a
goodie. That is nothing but a byte going to an
address. Viruses don't do that anymore. Now they
have a mission ... generally it is to use your hard
ware for free, and push commercial advertisements
at zero cost to them. Or it is to steal music files.
Think of the Internet as nothing but a guy sitting
at your keyboard. The Internet is simply another
input device. No defense except re-image and
proper use.

johns


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojan dropper Win32.purityscan.k Andy Mann Computer Support 1 02-24-2005 11:41 PM
Trojan Horse Dropper.Small.8.AA help needed removal gorf Computer Support 3 12-13-2004 09:03 PM
REQ HELP; Virus Dropper Bridge.A shit Computer Support 6 07-01-2004 11:27 AM
dropper.delf.be virus ? !!HELP!! Assn9 Computer Support 6 11-09-2003 02:22 AM
Dropper.delf.be Assn9 Computer Support 0 11-09-2003 12:29 AM



Advertisments