HTA Download Exploit

Discussion in 'malware problems & news' started by Pieter_Arntz, Jul 29, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    http://www.nsclean.com/psc-htas.html
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I suppose those activities will be stopped by Wormguard o_O
    Dolf
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Dollefie,

    The HTA scripts can be stopped by checking them in WormGuard or ScriptSentry or any other program that is able to intercept the call made by the .hta extension.

    Regards,

    Pieter
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    If anyone has a direct link to somewhere that I can get infected with this thing, please email or PM it to me.

    I want to see an alert from WormGuard on it so I can put up a screenshot.

    Thanks. Pete
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Pete,

    Check your IM. ;)

    Regards,

    Pieter
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Code:
    <html><head>
    
    <HTA:APPLICATION
       APPLICATIONNAME="HTANotePad" ID="oHTA" BORDER="thick"
       BORDERSTYLE="normal" CAPTION="yes" CONTEXTMENU="yes"
       INNERBORDER="no" MAXIMIZEBUTTON="yes" MINIMIZEBUTTON="yes"
       NAVIGABLE="yes"
       ICON="NOTEPAD.EXE" SCROLL="no" SCROLLFLAT="no"
       SELECTION="no" SHOWINTASKBAR="yes" SINGLEINSTANCE="no"
       SYSMENU="yes" VERSION="0.3" WINDOWSTATE="normal">
    
    <STYLE TYPE="text/css">
    <!--
    BODY   {   xfont-family: "Verdana, Arial, Helvetica, sans-serif";
          font:menu;
          background-color:Menu;
          color:MenuText;
          xfont-size: 8pt;
          cursor:default; //auto, text, pointer
       }
    TABLE   {   xfont-family:"Arial";
          xfont-size:8pt;
          font:menu;
          padding:0pt;
          border:0pt;
          FILTER: progid:DXImageTransform.Microsoft.Alpha(style=0,opacity=90);
       }
    IFrame   {   height:expression(document.body.clientHeight-MenuTable.clientHeight);
          width:100%;
       }
    TD   {   border:"1px solid Menu";}
    .submenu   {position:absolute;top=20;
          background-color:Menu;
          border="2px outset";}
    .MenuIn      {border:'1px inset';}
    .Menuover   {border:'1px outset';}
    .Menuout   {border:'1px solid';}
    .Submenuover   {background-color:highlight;color:highlighttext;}
    .Submenuout   {background-color:Menu;color:MenuText;}
    -->
    </STYLE>
    
    <script language=vbscript>
    option explicit
    Dim FileName,fModif,LastChildMenu,LastMenu
    fModif=False   'Not modified
    DisplayTitle
    Set LastChildMenu=Nothing
    Set LastMenu=Nothing
    Sub DisplayTitle
       If FileName="" Then
          document.Title="sans titre - " & oHTA.ApplicationName
       Else
          document.Title=FileName & " - " & oHTA.ApplicationName
       End If
    End Sub
    
    '''''''''''''''''''
    ' File management '
    '''''''''''''''''''
    Sub SaveAs
       Dim oDLG
       Set oDLG=CreateObject("MSComDlg.CommonDialog") 
       With oDLG
          .DialogTitle="SaveAs"
          .Filter="Scripts|*.vbs;*.hta;*.wsf;*.js|Text Files|*.txt|All files|*.*"
          .MaxFileSize=255
          .ShowSave
          If .FileName<>"" Then
             FileName=.FileName
             Save
          End If
       End With
       Set oDLG=Nothing
       DisplayTitle
    End Sub
    Sub Save()
       Dim fso,f
       If FileName<>"" Then
          Set fso=CreateObject("Scripting.FileSystemObject")
          Set f=fso.CreateTextFile(FileName,True)
          f.Write MyFrame.MyText.Value
          f.Close
          Set f=Nothing
          Set fso=Nothing
       Else
          SaveAs
       End If
    End Sub
    Sub OpenIt
       Dim fso,f
       Set fso=CreateObject("Scripting.FileSystemObject")
       Set f=fso.OpenTextFile(FileName,1)
       MyFrame.MyText.Value=f.ReadAll
       f.close
       Set f=Nothing
       Set fso=Nothing
       DisplayTitle
    End Sub
    Sub Open()
       If fModif Then
          Select Case Msgbox("The text in the file " & FileName & " has been changed." _
             & vbCrLf & "Do you want to save the changes ?",51,oHTA.ApplicationName)
          Case 6   'Yes
             Save
          Case 7   'No
          Case 2   'Cancel
             Exit Sub
          End Select
       End If
       Dim oDLG
       Set oDLG=CreateObject("MSComDlg.CommonDialog") 
       With oDLG
          .DialogTitle="Open"
          .Filter="Scripts|*.vbs;*.hta;*.wsf;*.js|Text Files|*.txt|All files|*.*"
          .MaxFileSize=255
          .Flags=.Flags Or &H1000   'FileMustExist (OFN_FILEMUSTEXIST)
          .ShowOpen
          If .FileName<>"" Then
             FileName=.FileName
             OpenIt
          End If
       End With
       Set oDLG=Nothing
    End Sub
    Sub NewText
       If fModif Then
          Select Case Msgbox("The text in the file " & FileName & " has been changed." _
             & vbCrLf & "Do you want to save the changes ?",51,oHTA.ApplicationName)
          Case 6   'Yes
             Save
          Case 7   'No
          Case 2   'Cancel
             Exit Sub
          End Select
       End If
       MyFrame.MyText.Value=""
       FileName=""
       DisplayTitle
    End Sub
    
    '''''''''''''''
    ' Drag & Drop '
    '''''''''''''''
    Sub ChangeIFrame
       'We use an Iframe to allow Drag&Drop
       MyFrame.Document.Body.InnerHTML="<textarea ID=MyText WRAP=OFF onChange" & _
          "='vbscript:parent.fModif=True' onclick='vbscript:parent.HideMenu' " & _
          "style='width:100%;height:100%'></textarea>"
       With MyFrame.Document.Body.Style
          .marginleft=0
          .margintop=0
          .marginright=0
          .marginbottom=0
       End With
       With MyFrame.MyText.Style
          .fontfamily="Fixedsys, Verdana, Arial, sans-serif"
          '.fontsize="7pt"
       End With
       Select Case UCase(MyFrame.location.href)
       Case "ABOUT:BLANK"
          FileName=""
       Case Else
          FileName=Replace(Mid(MyFrame.location.href,9),"/","\") 'suppress file:///
          OpenIt
       End Select
    End Sub
    
    '''''''''''''''''''
    ' Menu management '
    '''''''''''''''''''
    Sub ShowSubMenu(Parent,Child)
       If Child.style.display="block" Then
          Parent.classname="Menuover"
          Child.style.display="none"
          Set LastChildMenu=Nothing
       Else
          Parent.classname="Menuin"
          Child.style.display="block"
          Set LastChildMenu=Child
       End If
       Set LastMenu=Parent
    End Sub
    Sub MenuOver(Parent,Child)
       If LastChildMenu is Nothing Then
          Parent.className="MenuOver"
       Else
          If LastMenu is Parent Then
             Parent.className="MenuIn"
          Else
             HideMenu
             ShowSubMenu Parent,Child
          End If
       End If
    End Sub
    Sub MenuOut(Menu)
       If LastChildMenu is Nothing Then Menu.className="MenuOut"
    End Sub
    Sub HideMenu
       If Not LastChildMenu is Nothing Then
          LastChildMenu.style.display="none"
          Set LastChildMenu=Nothing
          LAstMenu.classname="Menuout"
       End If
    End Sub
    Sub SubMenuOver(Menu)
       Menu.className="SubMenuOver"
       'LastMenu.classname="Menuin"
    End Sub
    Sub SubMenuOut(Menu)
       Menu.className="SubMenuOut"
    End Sub
    
    </script>
    </head>
    
    <body leftmargin=0 topmargin=0 rightmargin=0>
    <TABLE id=MenuTable><TR>
       <TD   onclick='ShowSubMenu Me,MyFileMenu'
          onmouseover='MenuOver Me,MyFileMenu'
          onmouseout='MenuOut Me'> File </TD>
       <TD   onclick='ShowSubMenu Me,MyEditMenu'
          onmouseover='MenuOver Me,MyEditMenu'
          onmouseout='MenuOut Me'> Edit </TD>
       <TD   onclick='ShowSubMenu Me,MyFindMenu'
          onmouseover='MenuOver Me,MyFindMenu'
          onmouseout='MenuOut Me'> Find </TD>
       <TD   onclick='ShowSubMenu Me,MyHelpMenu'
          onmouseover='MenuOver Me,MyHelpMenu'
          onmouseout='MenuOut Me'> ? </TD>
       <TD onclick="HideMenu" width=100% border=2></TD>
       </TR></TABLE>
    <TABLE ID=MyFileMenu class=submenu style="left=2;display:none;"><TR>
       <TD   onclick="HideMenu:NewText"
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'> New</TD></TR>
       <TR><TD   onclick="HideMenu:open"
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'> Open</TD></TR>
       <TR><TD   onclick="HideMenu:save"
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'> Save</TD></TR>
       <TR><TD   onclick="HideMenu:saveAs"
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'> Save As</TD></TR>
       <TR><TD><HR></TD></TR>
       <TR><TD   onclick="HideMenu:window.close"
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'> Quit</TD></TR>
       </TABLE>
    <TABLE ID=MyEditMenu class=submenu style="left=30;display:none;"><TR>
       <TD><HR width=50px></TD></TR>
       </TABLE>
    <TABLE ID=MyFindMenu class=submenu style="left=60;display:none;"><TR>
       <TD><HR width=50px></TD></TR>
       </TABLE>
    <TABLE ID=MyHelpMenu class=submenu style="left=90;display:none;"><TR>
       <TD   onclick='HideMenu:msgbox "No help available yet;under construction ;=)"'
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'>Help</TD></TR>
       <TR><TD   onclick='HideMenu:CreateObject("MSComDlg.CommonDialog").AboutBox'
          onmouseover='Submenuover Me'
          onmouseout='Submenuout Me'>About</TD></TR>
       </TABLE>
    
    <iframe id=MyFrame application=yes scrolling=no onload="ChangeIFrame"></iframe>
    
    <script language=vbscript>
    'We can handle a file as a parameter to this HTA
    Dim x
    FileName=Trim(oHTA.CommandLine)
    x=Instr(2,FileName,"""")
    If x=Len(FileName) Then
       FileName=""   'No File Loaded
    Else
       FileName=Trim(Mid(FileName,x+1))
       OpenIt
    End If
    </script>
    </body></html>
    
    
    
    save as htanotepad.hta
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you both! Pete
     
  8. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Anyone know if Kaspersky's Script Checker would be able to alert on this HTA Exploit?
     
  9. TAG97

    TAG97 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    616
    Location:
    Connecticut USA
    Try reading the Help Files once in a while TAG97! :D

    "2. How the program works
    ========================

    The applications that use "Microsoft Windows Script Host" (Microsoft
    Explorer, Microsoft Internet Explorer, Microsoft Outlook etc.) send
    script bodies (VB script, Java script, etc.) to "Script Hosting" to
    process and execute them. Before these scripts are executed, Kaspersky Anti-Virus
    Script Checker transfers them to Kaspersky Anti-Virus Monitor to check script bodies
    for known viruses (in case Kaspersky Anti-Virus Monitor is installed and switched on) and
    also scans them with heuristic engine if no virus is monitored. In case the suspicious code
    is found in script body, a user will be informed with warning message and the script
    execution will be terminated.

    3. Virus Definitions
    ====================
    Kaspersky Anti-Virus Script Checker does not use anti-virus database. This database
    is used by Kaspersky Anti-Virus Scanner and Monitor Kaspersky Anti-Virus Monitor.
    The main advantage of the ScriptChecker in comparison with other antivirus programs is
    its ability to warn the user about possible infection with a new virus which is not
    described in databases yet.
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Not at all, I think it is a good question. While it would not be expected to detect the WinMain exe it might be the case it would detect the

    c:\winlog.html

    file that has been associated with it. You might want to see Tony Klein's remarks in this thread

    https://www.wilderssecurity.com/showthread.php?t=11878;start=15

    Regards,

    Dan
     
Loading...
Thread Status:
Not open for further replies.