Full Disclosure mailing list archives
Re: Sears Scam Trojan Code
From: Richard Maudsley <r_i_c_h_lists () btopenworld com>
Date: Thu, 25 Dec 2003 12:53:26 +0000
Hi,Using notepad I stripped all of the chars away from the hex, then pasted it into a hex editor and saved it as an executable. There is probably some blatant reason why this wont work, but I don't know why - so the executable doesn't actually run, but I still extracted the following information.
When you click open, the HTA script extracts an executable to: [SystemRoot]\System32\usb_d.exe The script does some other things too..usb_d.exe is a UPX packed executable of 24769 bytes (MD5: 32618578cedbfe8b73bbf975e23be1fc) - [info for my broken PE]
It appears to be a VisualC++ application.When I try to debug the exe, ntvdm.exe is loaded instead (because the PE is broken)...
Please post full details when you analyze this file, I will be very interested to know how you do it properly.
Have a great Christmas all, Richard Maudsley [HEX DUMP ATTACHED] At 25/12/2003, you wrote:
I received an email today claiming I've won a $100 gift certificate to Sears and must press 'open' when prompted to enter shipping information. The dialog is a standard save or open dialog for the file page.hta. Not being a programmer, I was simply wondering what the content of page.hta actually does. I've attached the file as page.txt for anyone who wishes to find out; perhaps the results will be interesting. Page.hta can be found at <http://radnorthgm.com/special/>http://radnorthgm.com/special/.
Attachment:
usb_d_dump.txt
Description:
Current thread:
- Sears Scam Trojan Code segfault (Dec 25)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)
- Re: Sears Scam Trojan Code Paul Tinsley (Dec 25)
- Re: Sears Scam Trojan Code Michael Bemmerl (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 27)
- Re: Sears Scam Trojan Code Nick FitzGerald (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 26)
- <Possible follow-ups>
- Re: Sears Scam Trojan Code Feher Tamas (Dec 26)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)