[38639] in bugtraq
Re: New auto download / install / exploit URL?
daemon@ATHENA.MIT.EDU (Hermann Arens)
Thu Apr 28 12:34:14 2005
Message-ID: <426FE99D.30707@rz-online.de>
Date: Wed, 27 Apr 2005 21:35:57 +0200
From: Hermann Arens <hermi@rz-online.de>
MIME-Version: 1.0
To: joke0 <joke0@tiscali.fr>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20050426060131.22594.qmail@www.securityfocus.com>
Content-Type: multipart/mixed;
boundary="------------000701020803030803070201"
This is a multi-part message in MIME format.
--------------000701020803030803070201
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
joke0 wrote:
>In-Reply-To: <BE8F2DE1.1B07C%gandalf@digital.net>
>
>Hi,
>
>Gandalf The White:
>
>
>>Someone want to take the time to decode?
>>
>>
>
>Not so easy, but done.
>
>The decrypted result of this hta leads to an intermediate javascript code (not provided here). Once this one is decrypted too, we get the HTA, pasted below.
>
>Explanations on what the code does are welcome ;-)
>
>
>
Hi,
it installs a browser helper object that loads this psde.exe file from
the russian server, right?
Unfortunately, the file isnīt available yet (because the domain isnīt
connected), has anyone this file?
Is it a known trojan horse?
Hermann
--------------000701020803030803070201
Content-Type: text/x-vcard; charset=utf-8;
name="hermi.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="hermi.vcf"
begin:vcard
fn:Hermann Arens
n:Arens;Hermann
email;internet:hermi@rz-online.de
x-mozilla-html:FALSE
url:http://www.userexit.de
version:2.1
end:vcard
--------------000701020803030803070201--
