Re: Sears Scam Trojan Code

[Richard Maudsley <r_i_c_h_lists () btopenworld com>]

Hi,

Using notepad I stripped all of the chars away from the hex, then pasted it 
into a hex editor and saved it as an executable. There is probably some 
blatant reason why this wont work, but I don't know why - so the executable 
doesn't actually run, but I still extracted the following information.

When you click open, the HTA script extracts an executable to:
[SystemRoot]\System32\usb_d.exe

The script does some other things too..

usb_d.exe is a UPX packed executable of 24769 bytes (MD5: 
32618578cedbfe8b73bbf975e23be1fc) - [info for my broken PE]

It appears to be a VisualC++ application.

When I try to debug the exe, ntvdm.exe is loaded instead (because the PE is 
broken)...

Please post full details when you analyze this file, I will be very 
interested to know how you do it properly.

Have a great Christmas all,
        Richard Maudsley

[HEX DUMP ATTACHED]

At 25/12/2003, you wrote:
> I received an email today claiming I've won a $100 gift certificate to 
> Sears and must press 'open' when prompted to enter shipping 
> information.  The dialog is a standard save or open dialog for the file 
> page.hta.  Not being a programmer, I was simply wondering what the content 
> of page.hta actually does.  I've attached the file as page.txt for anyone 
> who wishes to find out; perhaps the results will be interesting.  Page.hta 
> can be found at <http://radnorthgm.com/special/>http://radnorthgm.com/special/.

Attachment: usb_d_dump.txt
Description: