Security Incidents mailing list archives
[no subject]
From: Opus <opus () IRCORE COM>
Date: Thu, 18 Jan 2001 11:19:12 -0600
I operate a financial irc network, this morning one of my users came to me
for help stating he had previously visited a proxy testing site, but this
morning things did not work out as previously expected.
I can not include the ea.hta file, even tarred, norton seems to find it
and delete the attachement, if anyone is interested in seeing it, please
email me directly and i will send it to you.
The site that contains the attached html is named at the top of the
script(attached) in the href tag. I am guessing that this site has been
compromised and the site owner has not been notified as of yet. I have
CC'd them this email.
Attached is js.script.tar.gz - this file is the content of the website.
After decrypting it, it turns out to be the virus it's self but is not
detectable cause it is encrypted, most of this is Visual Basic. I may not
have the entire sequence correctly described, but the basic concept i
believe is there.
If i understand how this works: A user goes to the page, it runs the
html/vb script. It then decrypts the hex and writes it to your local
drive. If i understand correctly, code can't be executed from the web, it
has to be on your local drive. The code then does a refresh which then
executes the code from your local drive.
This code then being executed adds the ea.hta to your startup directory,
this is the actual virus, not a shortcut. Once the ea.hta is executed it
creates the onz.exe and an entry in your registery:
regCmd = sysCmd & " /c del " & Chr(34) & strStartup & "\ea.hta" & Chr(34)
WshShell.RegWrite
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\clean",
regCmd
i think this is to try and clean it's self up at the next reboot.
When i tried to ftp the ea.htm to my NT machine from my unix machine,
norton anti virus tagged it as JS.TheThing.D.dr virus. I found it on
symantec site, but it has no description of what it does.
Obviously the virus it's self is known, it's the deployment of the virus
that i find unique. Sort of puts a twist on surfing!
Opus
--
.~.
/V\
/( )\
^^-^^
Attachment:
js.script.tar.gz
Description:
Current thread:
- [no subject] Opus (Jan 18)