Prev: Infected: Trojan-Spy.Win32.Agent.beaf
Next: New PDF exploit?
From: Virus Guy on 17 Mar 2010 22:44
Ant wrote:

> I have Java disabled in Firefox since it's rare that a site
> requires it for navigation. However, I suspect VG means
> Javascript. I also have Acrobat set to not display PDFs
> in a browser (I download them instead) and don't have any
> plugins installed for Firefox.

I have Firefox (2.0.0.20) configured to ask me what to do with pdf
files, with the default being to save them to a user-specified
directory. Normally when I point Firefox at a pdf file, Firefox will
put up the "what do you want to do with this file" dialog box, with the
default being "save to file". If it's a file I want to read, I can
instead select "open file". Right after that, Acrobat will open in it's
own window and display the file. This is inspite of the fact that in
acrobat, I have "display pdf in browser" set to yes. I notice that I
also have "Enable Acrobat Javascript" set to yes (ok that's dumb). This
is reader 6.0.2.

I was fooling around with some links at malwaredomainlist.com and one
(or more) of those links, when executed in Firefox, resulted in Acrobat
reader opening and (I guess) trying to render some file. The "save to
file" dialog box did not happen. My Firefox agent string is been set to
OS=XP, Firefox= 3.1.something (I'm running win-98).

I'm trying to figure out what or how or why acrobat reader was launched
by what-ever I was pointing Firefox at.

The pdf file that I posted about in another thread came from my firefox
cache at about the same time that I was messing with those malwardomain
url's. The only PDF files that I've seen in the past that are very
small and have script code in them like that were usually malware.
From: Virus Guy on 17 Mar 2010 22:47
"David H. Lipman" wrote:

> >> {AC76BA86-1033-F400-7760-000000000004}
>
> | I don't have that clsid in my registry. Instead I have this:
>
> | {AC76BA86-7AD7-1033-7646-A00000000001}
>
> | Or maybe this?
>
> | {B801CA65-A1FC-11D0-85AD-444553540000}
>
> {AC76BA86-7AD7-1033-7646-A00000000001}
> Do you have Adobe Reader v6.01 ?

In the About window it says 6.0.2.

> {B801CA65-A1FC-11D0-85AD-444553540000}
> Adobe Reader 4.0 ?

This computer has Acrobat distiller installed on it, and I think it's
version 4. This allow "print to pdf" so that print-outs can be e-mailed
when necessary.
From: Ant on 17 Mar 2010 23:08
"David H. Lipman" wrote:

> From: "Ant":
>| Since FF doesn't do ActiveX I would expect it not to use COM or other
>| MS specific technologies. That would be more work for maintaining the
>| code base which must also be used for non-Windows systems. However,
>| there is a plugin to enable the use of ActiveX, so I'm not sure what's
>| to stop developers using COM in plugins for other things. Interesting
>| question and I don't have a FF Adobe plugin to check.
>
>
> OK....

Well, not quite!

Checking Firefox.exe itself and some Mozilla DLLs shows I'm wrong
about COM usage. They do import from ole32.dll and oleaut32.dll so
it is using COM automation internally after all. Because of Mozilla's
stance on ActiveX (they say it's a security risk) I'm hoping none of
this is able to be invoked directly by web pages through the Gecko or
SpiderMonkey engines; for example, being able to instantiate a PdfCtrl
object with javascript.


From: David H. Lipman on 17 Mar 2010 23:20
From: "Ant" <not(a)home.today>

| "David H. Lipman" wrote:

>> From: "Ant":
>>| Since FF doesn't do ActiveX I would expect it not to use COM or other
>>| MS specific technologies. That would be more work for maintaining the
>>| code base which must also be used for non-Windows systems. However,
>>| there is a plugin to enable the use of ActiveX, so I'm not sure what's
>>| to stop developers using COM in plugins for other things. Interesting
>>| question and I don't have a FF Adobe plugin to check.


>> OK....

| Well, not quite!

| Checking Firefox.exe itself and some Mozilla DLLs shows I'm wrong
| about COM usage. They do import from ole32.dll and oleaut32.dll so
| it is using COM automation internally after all. Because of Mozilla's
| stance on ActiveX (they say it's a security risk) I'm hoping none of
| this is able to be invoked directly by web pages through the Gecko or
| SpiderMonkey engines; for example, being able to instantiate a PdfCtrl
| object with javascript.


I thought so but I don't know for sure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: Virus Guy on 17 Mar 2010 23:24
Ant wrote:

> I suspect VG means Javascript.

What sub-system is responsible for handling / executing Javascript? Is
there anything like a single Javascript "control-panel" - or engine?

Or does every app handle Javascript internally - all by itself?
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Infected: Trojan-Spy.Win32.Agent.beaf
Next: New PDF exploit?