5.16 KB, text/plain
4.41 KB, text/plain
2.91 KB, text/plain
2.29 KB, text/plain
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:184.108.40.206) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:220.127.116.11) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Downloads and executes malicious code. Reproducible: Always Steps to Reproduce: 1. Log on to website.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.3a1pre) Gecko/20091207 Minefield/3.7a1pre I get a blank page.
Component: General → Security
QA Contact: general → firefox
I get a PDF download dialog (which will start a download in the background) or if you have a PDF plugin installed it should display the PDF using your installed PDF viewer. Reporter: How do you know that it executes malicious code ?
JS disabled I only had a list of links. Then I temporarily enabled JS via Noscript, and immediately got a warning of my virus scanner that there is a suspicious file on my harddisk. I didn't see the path, so I assume it's in the browser's cache. No, It's not in the cache, but plugin-example.pdf wants to be stored in c:/documents&settings/[user]/local settings/temp/plugtmp-61, and Avira blocks it as it is recognized as EXP/Piedief.AZ.50 path is german, so I tried to translate it....
Created attachment 416721 [details] common.js is recognized as HTML/Crypt.Gen. and contains huge eval() function to unpack trojan
Created attachment 416725 [details] zip-file sdfg.txt containing AppletX.class, LoaderX.class Attachment 416721 [details] is HTML script virus HTML/crypt.gen This file, sdfg.txt, is a zip file containing the malware both were found in the directory index_data_002 after downloading the URL using 'Save as Web Page, complete' Using 7zip, sdfg.txt generates a directory named myf containing the files AppletX.class and LoaderX.class
Created attachment 416726 [details] AppletX.class Antivir recognizes common.js as Name: HTML/Crypted.Gen Entdeckt am: 18/07/2007 Art: Trojan HTML/Crypted.Gen Beschreibung: von HTML Malware Browser Funktionalitäten wir Java- und VisualBasic Script. Diese damit geschriebenen Skripte sind kleine und oft sehr simple verschlüsselungs Routinen, die die schädlichen Teile des Skriptes verbergen. Diese verschlüsselte Malware ist erkannt als HTML/Crypted.Gen. Antivir doesn't recognize sdgf.txt, LoaderX.class, AppletX.class
Comment on attachment 416726 [details] AppletX.class changed MIME Type from application/octet-stream to text/plain, as I don't want to infect somebody
Attachment #416726 - Attachment mime type: application/octet-stream → text/plain
confirming website as malicious, but that's not a browser problem?
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is not a Browser exploit and makes this report invalid. This page tries to exploit some plugins. The class files are Java files and the page also tries to exploit Adobe Acrobat with a PDF. If you can get infected or not depends if you have the latest Plugin version installed or not or if the page tries to exploit unfixed security holes in the plugins. That you get a warning from AV software doesn't mean that it executes remote code and a browser always downloads every code that a website wants (in the cache or as temp for for plugin/helper applications). Use http://www.mozilla.com/en-US/plugincheck/ to be sure that you have the latest plugin installed and I suggest to use http://secunia.com/vulnerability_scanning/personal/ to be sure that you always have the latest versions installed. The virsusscan results for the 2 PDFs from the website are here : http://www.virustotal.com/analisis/44e493ebe16fa6f5e5b174479f08ac1bdcd1e91e01bdcbd87af6d5765d4068eb-1260369730 http://www.virustotal.com/analisis/db16ba4b3029244b4d900648e443a3f0c71bef835987c44476d1f3817a1c629d-1260227954 You should probably contact the Plugin vendors but I'm sure Adobe already knows about this security holes because the files are detected by Antivirus Software.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.