Dropper in web page?

Discussion in 'Computer Security' started by Piotr Makley, Apr 8, 2004.

  1. Piotr Makley

    Piotr Makley Guest

    I download a zipped file from the Usenet. Inside was an html file.

    My AV software said it contained "dropper.runme". When i looked
    this up on the net I found this:

    http://www.avp.ch/avpve/multip2/navrhar.stm

    But i can't see how a virus or trojan dropper could work when I
    look at an html file with my browser. Can someone explain this to
    me please.
     
    Piotr Makley, Apr 8, 2004
    #1
    1. Advertising

  2. Piotr Makley

    Guest

    On Thu, 08 Apr 2004 12:10:24 +0100, Piotr Makley <>
    wrote:

    >I download a zipped file from the Usenet. Inside was an html file.
    >
    >My AV software said it contained "dropper.runme". When i looked
    >this up on the net I found this:
    >
    >http://www.avp.ch/avpve/multip2/navrhar.stm
    >
    >But i can't see how a virus or trojan dropper could work when I
    >look at an html file with my browser. Can someone explain this to
    >me please.


    Browsers, like any software, can have design flaw vulnerabilities.
    With browsers, there are also scripting vulnerabilities. Particularly
    in the case of IE, if you have activex enabled, you are just asking
    for a web site to take control of your PC.

    Use a alternate browser to minimize the risks. Mozilla or Moz based
    browsers are recommended. Opera is another alternative.


    Art
    http://www.epix.net/~artnpeg
     
    , Apr 8, 2004
    #2
    1. Advertising

  3. Piotr Makley

    JJ Guest

    wrote:

    >>I download a zipped file from the Usenet. Inside was an html
    >>file.
    >>
    >>My AV software said it contained "dropper.runme". When i
    >>looked this up on the net I found this:
    >>
    >>http://www.avp.ch/avpve/multip2/navrhar.stm
    >>
    >>But i can't see how a virus or trojan dropper could work when
    >>I look at an html file with my browser. Can someone explain
    >>this to me please.

    >
    > Browsers, like any software, can have design flaw
    > vulnerabilities. With browsers, there are also scripting
    > vulnerabilities. Particularly in the case of IE, if you have
    > activex enabled, you are just asking for a web site to take
    > control of your PC.


    How do I disable Active-X in IE?
     
    JJ, Apr 8, 2004
    #3
  4. Piotr Makley

    kulm_nd Guest

    Open IE, click on TOOLS|Internet Options and then click Security tab. Click
    on Internet and then click on Custom Level. There is an ActiveX area to set
    what you want.

    --

    ************************************************

    g-w


    "JJ" <> wrote in message
    news:94C5ACE56C65753F89A@130.133.1.4...
    > wrote:
    >
    > >>I download a zipped file from the Usenet. Inside was an html
    > >>file.
    > >>
    > >>My AV software said it contained "dropper.runme". When i
    > >>looked this up on the net I found this:
    > >>
    > >>http://www.avp.ch/avpve/multip2/navrhar.stm
    > >>
    > >>But i can't see how a virus or trojan dropper could work when
    > >>I look at an html file with my browser. Can someone explain
    > >>this to me please.

    > >
    > > Browsers, like any software, can have design flaw
    > > vulnerabilities. With browsers, there are also scripting
    > > vulnerabilities. Particularly in the case of IE, if you have
    > > activex enabled, you are just asking for a web site to take
    > > control of your PC.

    >
    > How do I disable Active-X in IE?
     
    kulm_nd, Apr 8, 2004
    #4
  5. Piotr Makley said...
    > I download a zipped file from the Usenet. Inside was an html file.
    >
    > My AV software said it contained "dropper.runme". When i looked
    > this up on the net I found this:
    >
    > http://www.avp.ch/avpve/multip2/navrhar.stm
    >
    > But i can't see how a virus or trojan dropper could work when I
    > look at an html file with my browser. Can someone explain this to
    > me please.
    >


    Did the html file open a webpage with a MS Word document imbedded
    inside?
    --
    Super Mike
    "Mi asno querría un enano y un yate, por favor."
    [My donkey would like a midget and a yacht, please.]
     
    Anti_Freak_Machine, Apr 8, 2004
    #5
  6. "kulm_nd" <> wrote in message news:eek:Jedc.52093$...
    > Open IE, click on TOOLS|Internet Options and then click Security tab. Click
    > on Internet and then click on Custom Level. There is an ActiveX area to set
    > what you want.


    All fine, well, and good, but the problem is that an unzipped
    HTML file could easily be running in the "My Computer"
    security zone which isn't (by default) listed as a zone that
    can be configured as you have suggested. The same HTML
    in usenet would be in the restricted zone on my system, in
    the internet zone (which I have tweaked somewhat) if I
    viewed it while browsing. There are some registry hacks
    which can add a tab to the zone listing for the local "My
    Computer" zone, or to manually set that zone for greater
    security.

    Some information is here:

    http://support.microsoft.com/default.aspx?scid=KB;en-us;q182569

    Others should be able to supply more info if needed.
     
    FromTheRafters, Apr 9, 2004
    #6
  7. Piotr Makley

    johns Guest

    Gee! An intelligent discussion for once! Amazing!

    Use a combo of f-secure or McAffee ( NOT symantec )
    and Pop-Up-Stopper to keep Javascript turned off.
    That will stop these things. A firewall will have no effect
    whatsoever. This was an example of a very old one.
    We've got easily 6 years worth of improvement in these
    things coming at us every day. NOTE: AdAware and
    Spybot cannot detect or remove these "droppers". All
    they will do is detect the reinfect that occurs after they
    so-called "clean" your system. If you get one of the
    commercial ( scumware like Bargain Buddy ) versions,
    the best protection is a disk imaging program ( and
    at least an 80 gig drive ) that can simply write over
    everything and restore your system. I use PowerQuest
    2002 ... but I believe Symantec just bought them out.
    Hopefully, Symantec will get a clue and follow their
    lead. Symantec certainly can't write a decent program
    anymore. They really need to get PeterN back. Most
    of these "droppers" are not viruses anymore. They
    are commercial ad-ware and homepage hi-jackers,
    and they are very sophisticated ... and nasty to clean.
    You have to clean them manually by searching on
    dates and then running AdAware over and over until
    the stuff stops re-infecting. Takes all day to do that,
    plus a little luck. Reimaging takes maybe an hour at
    most, and you are back up clean as a whistle, and
    all you had to do was go get a cup of coffee.

    johns
     
    johns, Apr 9, 2004
    #7
  8. Piotr Makley

    Piotr Makley Guest

    "johns" <> wrote:

    > Use a combo of f-secure or McAffee ( NOT symantec )
    > and Pop-Up-Stopper to keep Javascript turned off.
    > That will stop these things. A firewall will have no effect
    > whatsoever. This was an example of a very old one.
    > We've got easily 6 years worth of improvement in these
    > things coming at us every day. NOTE: AdAware and
    > Spybot cannot detect or remove these "droppers". All
    > they will do is detect the reinfect that occurs after they
    > so-called "clean" your system.


    Johns, what sort of payload can a Javascript program release which
    might cause me damage. For example, can it put a program on my
    hard drive?

    And secondly, can it run the program (or get the system to run it
    at boot up) *without* my intervention? In others words without me
    double-clicking on something to start it off.


    > If you get one of the
    > commercial ( scumware like Bargain Buddy ) versions,
    > the best protection is a disk imaging program ( and
    > at least an 80 gig drive ) that can simply write over
    > everything and restore your system. I use PowerQuest
    > 2002 ... but I believe Symantec just bought them out.
    > Hopefully, Symantec will get a clue and follow their
    > lead. Symantec certainly can't write a decent program
    > anymore. They really need to get PeterN back. Most
    > of these "droppers" are not viruses anymore. They
    > are commercial ad-ware and homepage hi-jackers,
    > and they are very sophisticated ... and nasty to clean.
    > You have to clean them manually by searching on
    > dates and then running AdAware over and over until
    > the stuff stops re-infecting. Takes all day to do that,
    > plus a little luck. Reimaging takes maybe an hour at
    > most, and you are back up clean as a whistle, and
    > all you had to do was go get a cup of coffee.
     
    Piotr Makley, Apr 10, 2004
    #8
  9. "Piotr Makley" <> wrote in message news:94C57BD59192831E75@130.133.1.4...
    > I download a zipped file from the Usenet. Inside was an html file.


    In this context, a "wepage" and an "html file" might not be the same
    thing.

    > My AV software said it contained "dropper.runme". When i looked
    > this up on the net I found this:
    >
    > http://www.avp.ch/avpve/multip2/navrhar.stm


    Does this description match what you have observed?

    > But i can't see how a virus or trojan dropper could work when I
    > look at an html file with my browser. Can someone explain this to
    > me please.


    It is a matter of the security settings the html content is allowed to
    run in. Scripting and ActiveX allowed to run when the "html file"
    resides in the "My Computer" zone of some Windows versions
    may give different results than the same content "webpage" residing
    in the "Restricted" or "Internet" zone - depending on the settings of
    those zones.
     
    FromTheRafters, Apr 10, 2004
    #9
  10. Piotr Makley

    johns Guest


    > Johns, what sort of payload can a Javascript program release which
    > might cause me damage. For example, can it put a program on my
    > hard drive?


    It can put a program right in startup, and run every time
    you boot up ... worse, it can put a line in the registry to
    startup on boot. When you "look" at code, you are
    running it. When you are browsing, you are looking
    at code. The code runs according to where it is
    addressed .. and that is the entire thing. If the address
    is malicious, too bad. That is why computers are so
    easy to hack. If an email written in html contained
    something as simple as ( not exact ... %20 %20 ),
    and you "looked" at it, your computer would reboot.
    You can name a file on your desktop that same
    name, and if you click on it, your computer will
    reboot. There's another one that I've seen try to
    get to the hdrive media descriptor byte. That hard
    drive won't boot again .. period .. an oldie but a
    goodie. That is nothing but a byte going to an
    address. Viruses don't do that anymore. Now they
    have a mission ... generally it is to use your hard
    ware for free, and push commercial advertisements
    at zero cost to them. Or it is to steal music files.
    Think of the Internet as nothing but a guy sitting
    at your keyboard. The Internet is simply another
    input device. No defense except re-image and
    proper use.

    johns
     
    johns, Apr 12, 2004
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Assn9

    Dropper.delf.be

    Assn9, Nov 9, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    448
    Assn9
    Nov 9, 2003
  2. Assn9

    dropper.delf.be virus ? !!HELP!!

    Assn9, Nov 9, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    1,161
    °Mike°
    Nov 9, 2003
  3. shit

    REQ HELP; Virus Dropper Bridge.A

    shit, Jun 30, 2004, in forum: Computer Support
    Replies:
    6
    Views:
    599
  4. gorf
    Replies:
    3
    Views:
    2,005
    relic
    Dec 13, 2004
  5. Andy Mann

    Trojan dropper Win32.purityscan.k

    Andy Mann, Feb 24, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    636
    °Mike°
    Feb 24, 2005
Loading...

Share This Page