[Mimedefang] base64-encoded vbscript .hta file withself-extracting embeddedvirus

Lucas Albers admin at cs.montana.edu
Thu Jan 22 14:07:05 EST 2004


> Royce Williams wrote:
>> Our customer base got hit today with a virus that slipped through
>> via some wily obfuscation that I hadn't seen before.  What it does,
>> in a nutshell, is a base64-encoded .hta file that has VBScript in it
>> to convert a long string of hex into a binary, store it in your
>> system32 directory, and run it.

This is only occuring, if you are NOT blocking hta extensions, correct.
So blocking hta extensions removes this attack vector.
You are not referring to hta files slipping by your hta filter?

-- Luke Computer Science System Administrator



More information about the MIMEDefang mailing list