Internet Exploiter


  03 February 2004


Exploits the fact that Microsoft Internet Explorer had a problem (fixed in this patch) where a cleverly constructed URL could appear to go to one site and actually take you to another.

Submitted by .


<a href= =01 %01 %[email protected]/~cnnurgen/microsoft/downloads/details.html></a>


1. This looks like:

2. Notice the use of =01 quoted-printable encoding to insert a non-printable ASCII character SOH (01) inside the URL.

3. Notice the use of % encoding to also insert the non-printable ASCII characters 01 and 00 (the latter being a standard string termination in C designed to fool filters that 'printf' the URL).

4. Notice the use of a URL username/password combination (cf Enigma/Bogus Login tricks).

5. This appears to take the user to, but actually goes to the site at

6. In Microsoft Internet Explorer both the text highlighted in the URL and the URL shown in the status bar indicate that the URL as on

7. Mozilla Firebird is also fooled by this trick, it terminates the URL at the SOH character.

Another variant has appeared in phishing emails. The pipe character | can be used in a URL. Under Internet Explorer the URL will not be displayed past the pipe. This can be used to make a subdomain look like a top-level domain. In the following example, borrowed from Netcraft|

the link will appear as in Internet Explorer, but in fact goes to


Control Freak

Spammers compendium entry - Control Freak

You've been framed

Spammers compendium entry - You've been framed

Don't Cramp My Style

Spammers compendium entry - Don't Cramp My Style

Another Form of Desperation

Spammers compendium entry - Another Form of Desperation

It's Mini Marquee!

Spammers compendium entry - It's Mini Marquee!

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.