Full Disclosure mailing list archives
Re: Sears Scam Trojan Code
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 26 Dec 2003 02:58:36 +1300
u"segfault" <segfault () nycap rr com> wrote:
I received an email today claiming I've won a $100 gift certificate to Sears and must press 'open' when prompted to enter shipping information. The dialog is a standard save or open dialog for the file page.hta. Not being a programmer, I was simply wondering what the content of page.hta actually does. I've attached the file as page.txt for anyone who wishes to find out; perhaps the results will be interesting.
It is a fairly standard "VBS embedded in HTML" dropper specifically utilizing the "HTML Application" "falvour" of HTML. This HTML form is used as the web page you noted exploits an "execute directly from viewing the web page" vulnerability in IE that has been extensively exploited via .HTA files. The VBS dropper is designed to create the filepath "\System32\usb_d.exe" under the Windows installation directory (obtained from the "SystemRoot" environment variable) then decode a Windows executable from inside the script's body, writing it to that file which it then executes. I have not yet closely analysed "usb_d.exe" but from a very quick look it seems likely to be a "downloader" -- a program designed to obtain and install one or more other programs from some web location(s). These have been widely used to install remote access Trojans, DDoS and spamming agents. In short -- don't run the .HTA and, if using IE, make sure you have the latest security patches as the auto-execute bug referred to above has been fixed for a while now... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Sears Scam Trojan Code segfault (Dec 25)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)
- Re: Sears Scam Trojan Code Paul Tinsley (Dec 25)
- Re: Sears Scam Trojan Code Michael Bemmerl (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 27)
- Re: Sears Scam Trojan Code Nick FitzGerald (Dec 25)
- Re: Sears Scam Trojan Code Jarkko Turkulainen (Dec 26)
- <Possible follow-ups>
- Re: Sears Scam Trojan Code Feher Tamas (Dec 26)
- Re: Sears Scam Trojan Code Richard Maudsley (Dec 25)