We differentiate between exe|com|bat|scr and the rest of the dangerousRoyce Williams wrote:
Our customer base got hit today with a virus that slipped through
via some wily obfuscation that I hadn't seen before. What it does,
in a nutshell, is a base64-encoded .hta file that has VBScript in it
to convert a long string of hex into a binary, store it in your
system32 directory, and run it.
This is only occuring, if you are NOT blocking hta extensions, correct.
So blocking hta extensions removes this attack vector.
You are not referring to hta files slipping by your hta filter?
list, and hadn't put .hta in the "really bad" list. So blocking .hta outright
wasn't happening. We're now defanging .hta -- oversight on my part.
After unpacking and de-hexing this one, it did turn out to be Trojan.VBS.Inor.U, just like the one that Kris was getting, with the same "disconnect you in 24 hours" text.
I don't have any real expectation that Clam would be able to recognize this in its JS-hta-wrapped form, now that I understand it -- but I am interested in the idea that anyone can repackage an existing Trojan in this way and slip by most scanners.
-royce _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
