Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Correction - Yahoo! Data Grid CLSID SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Correction - Yahoo! Data Grid CLSID

Pretty much every news outlet appears to be reporting the incorrect CLSID for the Yahoo! Data Grid ActiveX component.  Alert reader Iain pointed this out to us.  It appears that the original mistake happened somewhere back in the chain of things and has simply been perpetuated...

The actual CLSID of the Yahoo! Data Grid: 5F810AFC-BB5F-4416-BE63-E01DD117BD6C
(ref: http://mep.music.yahoo.com/plugins/docs/webquickstart_page.html)

Almost all of the stories that we've seen have listed the CLSID having an extra "2" on the end.

And yes, I was bitten by the issue...  The programs that I wrote to set killbits used the incorrect CLSID.

So... I've gone back and altered the killbit setting apps.  The updated files are available at the links listed below:

The GUI version can be found here (KillBitGui-Feb08.exe - 4096 bytes - MD5: 9428b9c3778b68e768448ca52c7d8dfd)
The CLI version can be found here (KillBitCLI-Feb08.exe - 4608 bytes - MD5: 30c151ab6de460f5844e9b5826495911)

I'll also update older diary posts to reflect the correct CLSID because they have been linked from other sites.

(A big "thank you" to Iain for pointing this out...)

Tom Liston - Senior Security Consultant - Intelguardians

Tom

160 Posts
ISC Handler
You need to update your link for the command line version. You forgot the tliston part.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!