Vulnerability Development mailing list archives
Re: Whats this "repair.hta"
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 18 Aug 2000 15:32:47 +1200
Mick Pollard once said:
This is my first post here. Hope someone can shed some light on this for me. I just found this on my windblows box and is not sure what it is \?? Anyone help me identify it ?? It is in my startup folder. Its called "repair.hta"
Unfortunately, the file itself does not necessarily help us know what is (or maybe "was") wrong with your setup. That it is an HTA and maybe was in your Startup directory is a good hint. Many HTAs are delivered there via the Scriptlet.TypeLib bug -- an ActiveX control that installs itself "safe for scripting" but which happily makes files with names and locations as specified by a script. Microsoft only patched this a year ago, and judging from the number of people still getting infected with JS/Kak, I'd say not having the patch applied is about par for the course... The MS Security Bulletin on this is at: http://www.microsoft.com/technet/security/bulletin/ms99-032.asp
I have included the source code. See attachment.
Well, that allowed people to tell you what compromise you had been hit with due to receiving an Email or browsing a web page that exploits that hole, but it does not necessarily help in determining the actual security flaw in your machine... We have seen several other droppers and drive-trashers delivered in what I suspect is the same way. [BTW, I'm not on this list, so if you want to respond *to me*, Email or CC me.] -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Current thread:
- Whats this "repair.hta" Mick Pollard (Aug 17)
- Re: Whats this "repair.hta" Blue Boar (Aug 17)
- Re: Whats this "repair.hta" Tomo Radovanovic (Aug 17)
- <Possible follow-ups>
- FW: Whats this "repair.hta" Nate Roberts (Aug 17)
- Re: Whats this "repair.hta" Nick FitzGerald (Aug 18)