OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Bubble Boy Virus Spreading Mechanism
From: Masial (masialSECURED.ORG)
Date: Tue May 16 2000 - 23:20:46 CDT

Hi all,

> -----Original Message-----
> From: Andrew Leong
> Subject: Re: Bubble Boy Virus Spreading Mechanism
>

I second Andrew into thanking Hecix for this. I have yet to test it but im
going to assume it works :)

> Next question, does the Vandelay.Doc = " **INSERT CODE HERE**"
> mean that the binary code is attached (like in buffer overflows?). How do
we
> put the code in? And what happens when Vandelay.Write is executed? Does it
create a
> temporary file with the code written into it? Then when Windoz
> reboots, does it auto-run it due to the Update.HTA file? Or is the code
written into
> Update.HTA?

The Vandelay.Doc is the string that is going to be written as the body of
UPDATE.HTA. It gets actually written when the script calls the method
Vandelay.Write. The UPDATE.HTA file might be temp or not depending on the
behaviour of the worm you play with... it might download a .exe or move
somewhere less obvious or whatever. The HTA file is an "HTML Application"
this means you insert code as you would write an HTML document. The only
exception is that the HTA is 'special' as it escapes the normal IE security
model. The OS will treat it as an application, thus the convenience of using
this instead of a .html document. As for what you could do within that
HTA... well, endless possibilities here. Just use your imagination!

        "Where do you want to go today?"

Have fun :)

M.
Secured Industries
Why fear the unknown?