[Mimedefang] base64-encoded vbscript .hta file with self-extracting embeddedvirus
Kris Deugau
kdeugau at webhart.net
Thu Jan 22 10:22:01 EST 2004
Royce Williams wrote:
> Our customer base got hit today with a virus that slipped through
> via some wily obfuscation that I hadn't seen before. What it does,
> in a nutshell, is a base64-encoded .hta file that has VBScript in it
> to convert a long string of hex into a binary, store it in your
> system32 directory, and run it.
What was the (possibly HTML) text of the message itself (aside from the
virus content)?
Several customers here reported seeing a message that claimed to be from
our (old) billing department, noting that if they did not open the
attachment their Internet service would be disconnected within 24 hours.
Yesterday one of these got quarantined on the filter server here because
clamav tagged the virus (Trojan.VBS.Inor.U).
Another few have been quarantined since I checked yesterday; I wanted
to see roughly how many of these would show up.
-kgd
--
"Sendmail administration is not black magic. There are legitimate
technical reasons why it requires the sacrificing of a live chicken."
- Unknown
More information about the MIMEDefang
mailing list