OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Opus (opusIRCORE.COM)
Date: Thu Jan 18 2001 - 11:19:12 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I operate a financial irc network, this morning one of my users came to me
    for help stating he had previously visited a proxy testing site, but this
    morning things did not work out as previously expected.

    I can not include the ea.hta file, even tarred, norton seems to find it
    and delete the attachement, if anyone is interested in seeing it, please
    email me directly and i will send it to you.

    The site that contains the attached html is named at the top of the
    script(attached) in the href tag. I am guessing that this site has been
    compromised and the site owner has not been notified as of yet. I have
    CC'd them this email.

    Attached is js.script.tar.gz - this file is the content of the website.
    After decrypting it, it turns out to be the virus it's self but is not
    detectable cause it is encrypted, most of this is Visual Basic. I may not
    have the entire sequence correctly described, but the basic concept i
    believe is there.

    If i understand how this works: A user goes to the page, it runs the
    html/vb script. It then decrypts the hex and writes it to your local
    drive. If i understand correctly, code can't be executed from the web, it
    has to be on your local drive. The code then does a refresh which then
    executes the code from your local drive.

    This code then being executed adds the ea.hta to your startup directory,
    this is the actual virus, not a shortcut. Once the ea.hta is executed it
    creates the onz.exe and an entry in your registery:

    regCmd = sysCmd & " /c del " & Chr(34) & strStartup & "\ea.hta" & Chr(34)
    WshShell.RegWrite
    "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\clean",
    regCmd

    i think this is to try and clean it's self up at the next reboot.

    When i tried to ftp the ea.htm to my NT machine from my unix machine,
    norton anti virus tagged it as JS.TheThing.D.dr virus. I found it on
    symantec site, but it has no description of what it does.

    Obviously the virus it's self is known, it's the deployment of the virus
    that i find unique. Sort of puts a twist on surfing!

    Opus 

    --
    .~.
    /V\
   /( )\
   ^^-^^