Dropper in web page?

  • Thread starter Thread starter Piotr Makley
  • Start date Start date
P

Piotr Makley

I download a zipped file from the Usenet. Inside was an html file.

My AV software said it contained "dropper.runme". When i looked
this up on the net I found this:

http://www.avp.ch/avpve/multip2/navrhar.stm

But i can't see how a virus or trojan dropper could work when I
look at an html file with my browser. Can someone explain this to
me please.
 
I download a zipped file from the Usenet. Inside was an html file.

My AV software said it contained "dropper.runme". When i looked
this up on the net I found this:

http://www.avp.ch/avpve/multip2/navrhar.stm

But i can't see how a virus or trojan dropper could work when I
look at an html file with my browser. Can someone explain this to
me please.
Click to expand...

Browsers, like any software, can have design flaw vulnerabilities.
With browsers, there are also scripting vulnerabilities. Particularly
in the case of IE, if you have activex enabled, you are just asking
for a web site to take control of your PC.

Use a alternate browser to minimize the risks. Mozilla or Moz based
browsers are recommended. Opera is another alternative.


Art
http://www.epix.net/~artnpeg
 
Browsers, like any software, can have design flaw
vulnerabilities. With browsers, there are also scripting
vulnerabilities. Particularly in the case of IE, if you have
activex enabled, you are just asking for a web site to take
control of your PC.
Click to expand...

How do I disable Active-X in IE?
 
Open IE, click on TOOLS|Internet Options and then click Security tab. Click
on Internet and then click on Custom Level. There is an ActiveX area to set
what you want.
 
Piotr Makley said...
I download a zipped file from the Usenet. Inside was an html file.

My AV software said it contained "dropper.runme". When i looked
this up on the net I found this:

http://www.avp.ch/avpve/multip2/navrhar.stm

But i can't see how a virus or trojan dropper could work when I
look at an html file with my browser. Can someone explain this to
me please.
Click to expand...

Did the html file open a webpage with a MS Word document imbedded
inside?
 
kulm_nd said:
Open IE, click on TOOLS|Internet Options and then click Security tab. Click
on Internet and then click on Custom Level. There is an ActiveX area to set
what you want.
Click to expand...

All fine, well, and good, but the problem is that an unzipped
HTML file could easily be running in the "My Computer"
security zone which isn't (by default) listed as a zone that
can be configured as you have suggested. The same HTML
in usenet would be in the restricted zone on my system, in
the internet zone (which I have tweaked somewhat) if I
viewed it while browsing. There are some registry hacks
which can add a tab to the zone listing for the local "My
Computer" zone, or to manually set that zone for greater
security.

Some information is here:

http://support.microsoft.com/default.aspx?scid=KB;en-us;q182569

Others should be able to supply more info if needed.
 
Gee! An intelligent discussion for once! Amazing!

Use a combo of f-secure or McAffee ( NOT symantec )
and Pop-Up-Stopper to keep Javascript turned off.
That will stop these things. A firewall will have no effect
whatsoever. This was an example of a very old one.
We've got easily 6 years worth of improvement in these
things coming at us every day. NOTE: AdAware and
Spybot cannot detect or remove these "droppers". All
they will do is detect the reinfect that occurs after they
so-called "clean" your system. If you get one of the
commercial ( scumware like Bargain Buddy ) versions,
the best protection is a disk imaging program ( and
at least an 80 gig drive ) that can simply write over
everything and restore your system. I use PowerQuest
2002 ... but I believe Symantec just bought them out.
Hopefully, Symantec will get a clue and follow their
lead. Symantec certainly can't write a decent program
anymore. They really need to get PeterN back. Most
of these "droppers" are not viruses anymore. They
are commercial ad-ware and homepage hi-jackers,
and they are very sophisticated ... and nasty to clean.
You have to clean them manually by searching on
dates and then running AdAware over and over until
the stuff stops re-infecting. Takes all day to do that,
plus a little luck. Reimaging takes maybe an hour at
most, and you are back up clean as a whistle, and
all you had to do was go get a cup of coffee.

johns
 
johns said:
Use a combo of f-secure or McAffee ( NOT symantec )
and Pop-Up-Stopper to keep Javascript turned off.
That will stop these things. A firewall will have no effect
whatsoever. This was an example of a very old one.
We've got easily 6 years worth of improvement in these
things coming at us every day. NOTE: AdAware and
Spybot cannot detect or remove these "droppers". All
they will do is detect the reinfect that occurs after they
so-called "clean" your system.
Click to expand...

Johns, what sort of payload can a Javascript program release which
might cause me damage. For example, can it put a program on my
hard drive?

And secondly, can it run the program (or get the system to run it
at boot up) *without* my intervention? In others words without me
double-clicking on something to start it off.
 
Piotr Makley said:
I download a zipped file from the Usenet. Inside was an html file.
Click to expand...

In this context, a "wepage" and an "html file" might not be the same
thing.
My AV software said it contained "dropper.runme". When i looked
this up on the net I found this:

http://www.avp.ch/avpve/multip2/navrhar.stm
Click to expand...

Does this description match what you have observed?
But i can't see how a virus or trojan dropper could work when I
look at an html file with my browser. Can someone explain this to
me please.
Click to expand...

It is a matter of the security settings the html content is allowed to
run in. Scripting and ActiveX allowed to run when the "html file"
resides in the "My Computer" zone of some Windows versions
may give different results than the same content "webpage" residing
in the "Restricted" or "Internet" zone - depending on the settings of
those zones.
 
Johns, what sort of payload can a Javascript program release which
might cause me damage. For example, can it put a program on my
hard drive?
Click to expand...

It can put a program right in startup, and run every time
you boot up ... worse, it can put a line in the registry to
startup on boot. When you "look" at code, you are
running it. When you are browsing, you are looking
at code. The code runs according to where it is
addressed .. and that is the entire thing. If the address
is malicious, too bad. That is why computers are so
easy to hack. If an email written in html contained
something as simple as ( not exact ... %20 %20 ),
and you "looked" at it, your computer would reboot.
You can name a file on your desktop that same
name, and if you click on it, your computer will
reboot. There's another one that I've seen try to
get to the hdrive media descriptor byte. That hard
drive won't boot again .. period .. an oldie but a
goodie. That is nothing but a byte going to an
address. Viruses don't do that anymore. Now they
have a mission ... generally it is to use your hard
ware for free, and push commercial advertisements
at zero cost to them. Or it is to steal music files.
Think of the Internet as nothing but a guy sitting
at your keyboard. The Internet is simply another
input device. No defense except re-image and
proper use.

johns
 
Back
Top