[Mimedefang] base64-encoded vbscript .hta file withself-extracting embeddedvirus
Royce Williams
royce.williams at acsalaska.net
Thu Jan 22 18:31:55 EST 2004
Lucas Albers wrote:
>>Royce Williams wrote:
>>
>>
>>>Our customer base got hit today with a virus that slipped through
>>>via some wily obfuscation that I hadn't seen before. What it does,
>>>in a nutshell, is a base64-encoded .hta file that has VBScript in it
>>>to convert a long string of hex into a binary, store it in your
>>>system32 directory, and run it.
>>>
>>>
>
>This is only occuring, if you are NOT blocking hta extensions, correct.
>So blocking hta extensions removes this attack vector.
>You are not referring to hta files slipping by your hta filter?
>
>
We differentiate between exe|com|bat|scr and the rest of the dangerous
list, and hadn't put .hta in the "really bad" list. So blocking .hta
outright
wasn't happening. We're now defanging .hta -- oversight on my part.
After unpacking and de-hexing this one, it did turn out to be
Trojan.VBS.Inor.U, just like the one that Kris was getting, with
the same "disconnect you in 24 hours" text.
I don't have any real expectation that Clam would be able to
recognize this in its JS-hta-wrapped form, now that I understand
it -- but I am interested in the idea that anyone can repackage an
existing Trojan in this way and slip by most scanners.
-royce
More information about the MIMEDefang
mailing list