Re: [Full-Disclosure] Sears Scam Trojan Code

[Nick FitzGerald <nick@virus-l.demon.co.uk>]

u"segfault" <segfault@nycap.rr.com> wrote:

> I received an email today claiming I've won a $100 gift certificate to
> Sears and must press 'open' when prompted to enter shipping information.
>  The dialog is a standard save or open dialog for the file page.hta. 
> Not being a programmer, I was simply wondering what the content of
> page.hta actually does.  I've attached the file as page.txt for anyone
> who wishes to find out; perhaps the results will be interesting. 

It is a fairly standard "VBS embedded in HTML" dropper specifically 
utilizing the "HTML Application" "falvour" of HTML.

This HTML form is used as the web page you noted exploits an "execute 
directly from viewing the web page" vulnerability in IE that has been 
extensively exploited via .HTA files.  The VBS dropper is designed to 
create the filepath "\System32\usb_d.exe" under the Windows 
installation directory (obtained from the "SystemRoot" environment 
variable) then decode a Windows executable from inside the script's 
body, writing it to that file which it then executes.  I have not yet 
closely analysed "usb_d.exe" but from a very quick look it seems likely 
to be a "downloader" -- a program designed to obtain and install one or 
more other programs from some web location(s).  These have been widely 
used to install remote access Trojans, DDoS and spamming agents.

In short -- don't run the .HTA and, if using IE, make sure you have the 
latest security patches as the auto-execute bug referred to above has 
been fixed for a while now...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html