Re: Whats this "repair.hta"

[Tomo Radovanovic <tomo () SOROS ORG BA>]

VBS/GodMessage

Infects: Trojan horse
This trojan may work only if Microsoft Internet Explorer version 5 is
installed. It drops the REPAIR.HTA file into the Windows startup directory
so that it runs on the next boot. REPAIR.HTA drops ONZ.EXE which is a
backdoor program. For more information about the backdoor see Troj/TheThing-B.

First reported in December 1999.


Troj/TheThing-B

Infects: Trojan horse
Memory resident: Yes

This program is a backdoor server program. It copies itself to file
SYS32INIT.EX or FILESYS.EXE into the Windows default directory and changes
the SYSTEM.INI file so that the trojan runs on Windows startup. The trojan
opens a custom FTP port so that the computer is exposed to a security
attack from a remote network location. It also attempts to contact an
internet address to acknowledge the infection.

First reported in December 1999.


At 10:04 PM 8/17/2000 +1000, Mick Pollard wrote:
> Hiya peeps,
>         This is my first post here. Hope someone can shed some light on
> this for me. I just found this on my windblows box and is not sure what
> it is \?? Anyone help me identify it ?? It is in my startup folder. Its
> called "repair.hta"
>
> I have included the source code. See attachment.