OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Whats this "repair.hta"
From: Nick FitzGerald (nickVIRUS-L.DEMON.CO.UK)
Date: Thu Aug 17 2000 - 22:32:47 CDT

Mick Pollard once said:

> This is my first post here. Hope someone can shed some light on
> this for me. I just found this on my windblows box and is not sure
> what it is \?? Anyone help me identify it ?? It is in my startup
> folder. Its called "repair.hta"

Unfortunately, the file itself does not necessarily help us know what
is (or maybe "was") wrong with your setup. That it is an HTA and
maybe was in your Startup directory is a good hint. Many HTAs are
delivered there via the Scriptlet.TypeLib bug -- an ActiveX control
that installs itself "safe for scripting" but which happily makes
files with names and locations as specified by a script. Microsoft
only patched this a year ago, and judging from the number of people
still getting infected with JS/Kak, I'd say not having the patch
applied is about par for the course...

The MS Security Bulletin on this is at:

   http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

> I have included the source code. See attachment.

Well, that allowed people to tell you what compromise you had been
hit with due to receiving an Email or browsing a web page that
exploits that hole, but it does not necessarily help in determining
the actual security flaw in your machine... We have seen several
other droppers and drive-trashers delivered in what I suspect is
the same way.

[BTW, I'm not on this list, so if you want to respond *to me*, Email
or CC me.] 

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854