lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3FEBA3DC.23267.31668673@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Sears Scam Trojan Code

u"segfault" <segfault@...ap.rr.com> wrote:

> I received an email today claiming I've won a $100 gift certificate to
> Sears and must press 'open' when prompted to enter shipping information.
>  The dialog is a standard save or open dialog for the file page.hta. 
> Not being a programmer, I was simply wondering what the content of
> page.hta actually does.  I've attached the file as page.txt for anyone
> who wishes to find out; perhaps the results will be interesting. 

It is a fairly standard "VBS embedded in HTML" dropper specifically 
utilizing the "HTML Application" "falvour" of HTML.

This HTML form is used as the web page you noted exploits an "execute 
directly from viewing the web page" vulnerability in IE that has been 
extensively exploited via .HTA files.  The VBS dropper is designed to 
create the filepath "\System32\usb_d.exe" under the Windows 
installation directory (obtained from the "SystemRoot" environment 
variable) then decode a Windows executable from inside the script's 
body, writing it to that file which it then executes.  I have not yet 
closely analysed "usb_d.exe" but from a very quick look it seems likely 
to be a "downloader" -- a program designed to obtain and install one or 
more other programs from some web location(s).  These have been widely 
used to install remote access Trojans, DDoS and spamming agents.

In short -- don't run the .HTA and, if using IE, make sure you have the 
latest security patches as the auto-execute bug referred to above has 
been fixed for a while now...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ