| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Sears Scam Trojan Code u"segfault" <segfault@...ap.rr.com> wrote: > I received an email today claiming I've won a $100 gift certificate to > Sears and must press 'open' when prompted to enter shipping information. > The dialog is a standard save or open dialog for the file page.hta. > Not being a programmer, I was simply wondering what the content of > page.hta actually does. I've attached the file as page.txt for anyone > who wishes to find out; perhaps the results will be interesting. It is a fairly standard "VBS embedded in HTML" dropper specifically utilizing the "HTML Application" "falvour" of HTML. This HTML form is used as the web page you noted exploits an "execute directly from viewing the web page" vulnerability in IE that has been extensively exploited via .HTA files. The VBS dropper is designed to create the filepath "\System32\usb_d.exe" under the Windows installation directory (obtained from the "SystemRoot" environment variable) then decode a Windows executable from inside the script's body, writing it to that file which it then executes. I have not yet closely analysed "usb_d.exe" but from a very quick look it seems likely to be a "downloader" -- a program designed to obtain and install one or more other programs from some web location(s). These have been widely used to install remote access Trojans, DDoS and spamming agents. In short -- don't run the .HTA and, if using IE, make sure you have the latest security patches as the auto-execute bug referred to above has been fixed for a while now... Regards, Nick FitzGerald
Powered by blists - more mailing lists