Vulnerability Development mailing list archives
Re: Whats this "repair.hta"
From: Tomo Radovanovic <tomo () SOROS ORG BA>
Date: Thu, 17 Aug 2000 22:55:51 +0200
VBS/GodMessage Infects: Trojan horse This trojan may work only if Microsoft Internet Explorer version 5 is installed. It drops the REPAIR.HTA file into the Windows startup directory so that it runs on the next boot. REPAIR.HTA drops ONZ.EXE which is a backdoor program. For more information about the backdoor see Troj/TheThing-B. First reported in December 1999. Troj/TheThing-B Infects: Trojan horse Memory resident: Yes This program is a backdoor server program. It copies itself to file SYS32INIT.EX or FILESYS.EXE into the Windows default directory and changes the SYSTEM.INI file so that the trojan runs on Windows startup. The trojan opens a custom FTP port so that the computer is exposed to a security attack from a remote network location. It also attempts to contact an internet address to acknowledge the infection. First reported in December 1999. At 10:04 PM 8/17/2000 +1000, Mick Pollard wrote:
Hiya peeps, This is my first post here. Hope someone can shed some light on this for me. I just found this on my windblows box and is not sure what it is \?? Anyone help me identify it ?? It is in my startup folder. Its called "repair.hta" I have included the source code. See attachment.
Current thread:
- Whats this "repair.hta" Mick Pollard (Aug 17)
- Re: Whats this "repair.hta" Blue Boar (Aug 17)
- Re: Whats this "repair.hta" Tomo Radovanovic (Aug 17)
- <Possible follow-ups>
- FW: Whats this "repair.hta" Nate Roberts (Aug 17)
- Re: Whats this "repair.hta" Nick FitzGerald (Aug 18)