| View previous topic :: View next topic |
| Author |
Message |
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
 Posted: Fri Apr 09, 2004 9:34 am Post subject: Vulnerability in Internet Explorer ITS Protocol Handler |
 |
|
| Quote: |
Description
There is a cross-domain scripting vulnerability in the way ITS protocol handlers determine the security domain of an HTML component stored in a Compiled HTML Help (CHM) file. The HTML Help system "...uses the underlying components of Microsoft Internet Explorer to display help content. It supports HTML, ActiveX, Java, [and] scripting languages (JScript, and Microsoft Visual Basic Scripting Edition)." CHM files use the InfoTech Storage (ITS) format to store components such as HTML files, graphic files, and ActiveX objects. IE provides several protocol handlers that can access ITS files and individual CHM components: its:, ms-its:, ms-itss:, and mk:@MSITStore:. IE also has the ability to access parts of MIME Encapsulation of Aggregate HTML Documents (MHTML) using the mhtml: protocol handler. |
http://www.us-cert.gov/cas/techalerts/TA04-099A.html
The fix requires brutal sugery of Windows Local Machine Zone resulting in the Help system not working.
Install a HOSTS file that stops the(se) site(s) that exploit this vunerability.
http://webpages.charter.net/hpguru/hosts/hosts.html
Also install a Custom Entry in SpywareBlaster.
Name=CHM exploit | hard-virgins.com
CLSID={11111111-1111-1111-1111-111111111157}
http://www.mvps.org/winhelp2002/blaster.htm
_________________
Install IE-SPYAD and SpywareBlaster updated regularly available in the following links .
How did I get infected? http://boards.cexx.org/viewtopic.php?t=957
Calendar Of Updates http://www.dozleng.com/updates/index.php?&act=calendar
 member |
|
| Back to top |
|
 |
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 22 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Fri Apr 09, 2004 7:12 pm Post subject: |
|
|
TeMerc - I don't know what I did, but you're welcome. 
CalamityKen - on that page with the custom entiries for SpywareBlaster, does it mean that all those shown there should be added? I wasn't clear on that.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
| Posted: Sat Apr 10, 2004 12:42 am Post subject: |
|
|
Suzi, they should all be added until the next update of SpywareBlaster.
An easy way to add new entries:
| Quote: |
With SpywareBlaster closed, create a file in its stored folder called customblocking.txt
It has the format:
[Header]
ListNumber=31
[0]
Name=Backdoor.Autoupder (1)
CLSID={6541B981-2E27-46B1-A2CC-8264A75B74FE}
[1]
Name=Backdoor.Autoupder (2)
CLSID={C76BE992-2BC3-41A4-8B87-A8C01FE419A7}
[2]
Name=Backdoor.Autoupder (3)
CLSID={9A05FE9B-5B52-4D13-A77D-FA7C38557A8E}
[3]
Name=Backdoor.Autoupder (4)
CLSID={C76BE992-2BC3-41A4-8B87-A8C01FE419A7}
[4]
Name=Backdoor.Autoupder (5)
CLSID={F53C844A-D9C8-4E92-B923-C05B46C4A7E3}
[5]
Name=Backdoor.Autoupder (6)
CLSID={FBE091E5-DF43-4FFB-AECC-7E3A3BC7B0D9}
[6]
Name=BrowserAid/Startium stlbupdt.dll
CLSID={2CF0B992-5EEB-4143-99C2-5297EF71F44B}
[7]
Name=ClearStream Accelerator
CLSID={D319662B-D5BF-4538-ADF3-8D3E36362608}
[8]
Name=ClientMan | urlclia30956de.dll
CLSID={94927A13-4AAA-476A-989D-392456427688}
[9]
Name=CoolWebSearch.MSSearch
CLSID={E2DDF680-9905-4DEE-8C64-0A5DE7FE133C}
[10]
Name=CoolWebSearch.xpsystem | CWS.Yexe
CLSID={5321e378-ffad-4999-8c62-03ca8155f0b3}
[11]
Name=CWS.Xmlmimefilter | Trojan.Bookmarker.F
CLSID={53B95211-7D77-11D2-9F80-00104B107C96}
[12]
Name=E-card Exploit
CLSID={11111111-1111-1111-1111-111111111113}
[13]
Name=HungryHands | dlsearchbar.com
CLSID={BCF96FB4-5F1B-497B-AECC-910304A55011}
[14]
Name=HuntBar.ctoolb
CLSID={339BB23F-A864-48C0-A59F-29EA915965EC}
[15]
Name=IncrediFindBHO
CLSID={5D60FF48-95BE-4956-B4C6-6BB168A70310}
[16]
Name=NetworkEssentials | SmartPops.RH.exe
CLSID={E79061BA-B6E7-4A9D-A07C-C3CB561013B4}
[17]
Name=Parasite.Whazit
CLSID={D5B72AED-E54A-11D6-B1B2-444553540000}
[18]
Name=PeopleOnPage.AproposMedia
CLSID={01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}
[19]
Name=PHP_BIZAI.A CLASSID exploit
CLSID={11111111-1111-1111-1111-111111111123}
[20]
Name=PowerStrip | adsvr.net
CLSID={A7E84D65-E121-4855-8EF0-C96195925F82}
[21]
Name=Redswoosh.com rsinstaller.cab
CLSID={FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}
[22]
Name=TROJ_IEFEATS.A | CWS.IEFeats
CLSID={FD9BC004-8331-4457-B830-4759FF704C22}
[23]
Name=TROJ_IEFEATS.A | CWS.IEFeats (2)
CLSID={587DBF2D-9145-4c9e-92C2-1F953DA73773}
[24]
Name=TROJ_IEFEATS.A | CWS.IEFeats (3)
CLSID={FD9BC004-8331-4457-B830-4759FF704C22}
[25]
Name=TROJ_IEFEATS.A | CWS.IEFeats (4)
CLSID={587DBF2D-9145-4c9e-92C2-1F953DA73773}
[26]
Name=TROJ_IEFEATS.A | LizardBar
CLSID={2E9CAFF6-30C7-4208-8807-E79D4EC6F806}
[27]
Name=TROJ_MUSS.A | comload.dll
CLSID={9E1089BC-1AE8-4685-8D77-6721E5C318A8}
[28]
Name=TROJ_PSYME.A
CLSID={1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB2}
[29]
Name=Trojan.Bookmarker.C
CLSID={3F143C3A-1457-6CCA-0A7-7AA23B61E40F}
[30]
Name=Winpage Blocker | WinPage.dll
CLSID={12DF6E3E-6272-4AE8-880B-2158D60791C0} |
_________________
Install IE-SPYAD and SpywareBlaster updated regularly available in the following links .
How did I get infected? http://boards.cexx.org/viewtopic.php?t=957
Calendar Of Updates http://www.dozleng.com/updates/index.php?&act=calendar
member |
|
| Back to top |
|
|
Nick
Site Admin
Joined: 27 Feb 2004
Last Visit: 28 Aug 2012
Posts: 3913
Location: California
|
| Posted: Sat Apr 10, 2004 2:47 am Post subject: |
|
|
So who is the one who comes up with these CLSID's to add?
_________________
Nick's Security Ticker
 |
|
| Back to top |
|
|
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 22 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sat Apr 10, 2004 11:01 am Post subject: |
|
|
Creating that text file is a lot easier than adding all those individually! Thanks. 
What goes here: [Header] - Does something go inside the brackets, or just the word Header like shown there?
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
iceblue
Warrior Guru
Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 392
Location: Sydney
|
| Posted: Sat Apr 10, 2004 2:07 pm Post subject: |
|
|
Just the [Header] Suzi,
and the list total as a number.
For the example above:
If you have 31 entries 0-30;
e.g.
[Header]
ListNumber=31
_________________
Travel safely !
Last edited by iceblue on Sat Apr 10, 2004 9:41 pm; edited 1 time in total |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 22 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sat Apr 10, 2004 6:37 pm Post subject: |
|
|
Got it Iceblue - thanks!
And - when you say "stored folder" do you mean the SpywareBlaster folder in the program files? That's the only folder I see for it. All I see in it is five files with .sss at the end.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
| Posted: Sat Apr 10, 2004 8:00 pm Post subject: |
|
|
Suzi, it should have the spywareblaster.exe in that folder.
C:\Program Files\SpywareBlaster
Here is my current file:
| Code: |
[Header]
ListNumber=23
[0]
Name=ADW_SCANPORTAL.A | AdRoator (1)
CLSID={34EF5B1C-52CB-400b-8B7C-F787018B3826}
[1]
Name=ADW_SCANPORTAL.A | AdRoator (2)
CLSID={3E7145B1-EA07-42CE-9299-11DF39FF54BD}
[2]
Name=Backdoor.Autoupder (1)
CLSID={6541B981-2E27-46B1-A2CC-8264A75B74FE}
[3]
Name=Backdoor.Autoupder (2)
CLSID={C76BE992-2BC3-41A4-8B87-A8C01FE419A7}
[4]
Name=Backdoor.Autoupder (3)
CLSID={9A05FE9B-5B52-4D13-A77D-FA7C38557A8E}
[5]
Name=Backdoor.Autoupder (4)
CLSID={F53C844A-D9C8-4E92-B923-C05B46C4A7E3}
[6]
Name=Backdoor.Autoupder (5)
CLSID={FBE091E5-DF43-4FFB-AECC-7E3A3BC7B0D9}
[7]
Name=BrowserAid/Startium | stlbupdt.dll
CLSID={2CF0B992-5EEB-4143-99C2-5297EF71F44B}
[8]
Name=CHM exploit | capital-systems.net
CLSID={11113111-1411-1611-8111-111111111413}
[9]
Name=CHM exploit | hard-virgins.com
CLSID={11111111-1111-1111-1111-111111111157}
[10]
Name=ClientMan
CLSID={0982868C-47F0-4EFB-A664-C7B0B1015808}
[11]
Name=ClientMan | urlclia30956de.dll
CLSID={94927A13-4AAA-476A-989D-392456427688}
[12]
Name=HuntBar.ctoolb
CLSID={339BB23F-A864-48C0-A59F-29EA915965EC}
[13]
Name=IncrediFindBHO
CLSID={5D60FF48-95BE-4956-B4C6-6BB168A70310}
[14]
Name=NetworkEssentials | SmartPops.RH.exe
CLSID={E79061BA-B6E7-4A9D-A07C-C3CB561013B4}
[15]
Name=PeopleOnPage.AproposMedia
CLSID={01C5BF6C-E699-4CD7-BEA1-786FA05C83AB}
[16]
Name=PHP_BIZAI.A | Trojan.Ibiza
CLSID={11111111-1111-1111-1111-111111111123}
[17]
Name=Redswoosh.com | rsinstaller.cab
CLSID={FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}
[18]
Name=SubSearch | 01A00.DLL
CLSID={00F16DC8-1B2A-42F4-B18B-E21DA9D2D7FD}
[19]
Name=Trojan.Bookmarker.C
CLSID={3F143C3A-1457-6CCA-0A7-7AA23B61E40F}
[20]
Name=Visicom Toolbar | pickoftheweb.com
CLSID={4E7BD74F-2B8D-469E-C0FF-FD7BA09AAA7D}
[21]
Name=WebHelper | browserplugin.com
CLSID={1BDD55B8-3985-4E59-B906-5E0AD56D6710}
[22]
Name=Winpage Blocker | WinPage.dll
CLSID={12DF6E3E-6272-4AE8-880B-2158D60791C0} |
_________________
Install IE-SPYAD and SpywareBlaster updated regularly available in the following links .
How did I get infected? http://boards.cexx.org/viewtopic.php?t=957
Calendar Of Updates http://www.dozleng.com/updates/index.php?&act=calendar
member |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 22 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sat Apr 10, 2004 8:06 pm Post subject: |
|
|
Hmmm... spywareblaster.exe is not in that folder. Odd. I'll have to search for it. Thanks.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
CalamityKen
Warrior Addict
Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada
|
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 22 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Sun Apr 11, 2004 7:50 pm Post subject: |
|
|
| Quote: |
| Hmmm... spywareblaster.exe is not in that folder |
I found out why - I downloaded the new version when it first came out, but forgot to install it.  Sometimes I scare myself... 
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
| Posted: Mon Apr 12, 2004 1:19 pm Post subject: |
|
|
hello
suzi i did a few singal blocking ones through the spyblaster gui and it created this txt file in the program folder its self not that i could find the exe file your looking for. so just putting it in the program folder should work just fine.
but to up date new ones just open the txt folder and copy paste the new ones in.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
|
