RE: Trojan Programs from web site link in Security_Wire_Digest@bdcimail.com newsletter

[BRAD GRIFFIN]

Looks like your McAfee software is using a less than stellar implementation of content 
filtering to detect this 'exploit'. There has been some discussion on content based 
filtering in the focus-virus list.
I'd suggest referring it to your McAfee support people and express your concerns.
The page is benign and contains only code snippets as samples:

<b>Exploit:</b>
<p>This example attempts to read content from "c:/test.txt".</p>
<p id="oCode">
&lt;link id="oFile" rel="stylesheet" href="file://c:/test.txt" disabled&gt;<br>
&lt;script language="jscript"&gt;<br>
onload=function () {<br>
����alert(document.styleSheets.oFile.cssText || "Could not extract any text from 
file.");<br>
}<br>
&lt;/script&gt;
</p>

Cheers,
Brad

> -----Original Message-----
> From: David Lane [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 22, 2002 2:36 AM
> To: [EMAIL PROTECTED]
> Subject: Trojan Programs from web site link in
> [EMAIL PROTECTED] newsletter
> 
> 
> Hello, In a newsletter I received from Security Wire Digest 
> on May 20, 2002
> they have a link to a web site that when clicked attempts to 
> download two
> Trojan programs, which were blocked on my machine by McAfee 
> software which I
> have set to scan all download files.  I sent a notice back to 
> Security Wire,
> below, but have not received a response and I just clicked on 
> the link again
> and it is still trying to download the Trojans.  I just wanted to make
> others aware of this problem and also to ask if anyone else 
> had problems
> with this organization.  I am ready to unsubscribe to this 
> newsletter unless
> I get a response from them.  Do not click on the link unless 
> you have your
> virus software set to scan all files that are downloaded.
> 
> Message to Security Wire:
> 
> subject:RE: SECURITY WIRE DIGEST, VOL. 4, NO. 39, MAY 20, 2002
> 
> Security Wire personnel:
> 
> Please note when I clicked on the link in your newsletter,
> "http://sec.greymagic.com/adv/gm004-ie"; the web site 
> attempted to download
> two Trojan programs to my computer.  The files were 
> identified by McAfee as
> MIA2B4ff and MV8R26CG.  Both were listed a variants or 
> JS/Espolint-LocalCSS.
> I repeated this process twice with the same results.
> 
> David Lane
> University of California Santa Cruz
> Internal Audit and advisory services
>