What is M-soft Office .hta (WG blocked from running)

Discussion in 'WormGuard' started by worldcitizen, Jan 6, 2005.

Thread Status:
Not open for further replies.
  1. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    I just started up my PC and Wormguard gave me a warning that it had blocked a file from starting. I turned the logging on and found out that the file trying to start up is called:

    M-soft Office .hta

    It is in the start up folder in both my account and my wife's but I have no idea what it is, where it came from or if it's a file I need.

    Can anyone help - Pilli?

    Dave
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  3. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi Pilli,

    I just deleted it because I had no idea what it was. Nothing catastropic seems to have happened.

    I changed my ISP so I've been offline for almost 3 weeks because they don't have the fast churning facility. Glad to be out of their prison.

    Dave
     
  4. Black Ranger

    Black Ranger Registered Member

    Joined:
    Jan 6, 2005
    Posts:
    6
    Location:
    Dallas, TX
    This file contains a embedded VBS Script Downloader. It downloads a gif file ( it's a executable ) drops it as C:\ide323.exe from http://??.50.???.248/323/count1.gif

    Note: I changed for security reasons the IP into ??...

    After executing the executable installs spyware.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  6. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Thanks very much to you all for providing the info on this malware. I knew there was something wrong when WormGuard wouldn't let it load on start up and I knew I never had this file previously so I deleted it.

    Thanks WormGuard!

    Dave
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Dave,
    Next time i would move it rather than delete it, as this makes recovery easier if its ever needed again, and also then you still have the sample if any analysts want it ... :). Moving it to a new folder has the effect of quarantining the sample - it won't be able to do any damage from the new location unless you manually run it, and because it's in a new location there won't be any 'autostart' entries pointing to it to make it load when Windows starts.
     
  8. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    OK I'll remember that next time Wayne. That was my first real nasty that WG blocked and I must say it did a very good job because it simply refused to allow it to load and all I got was a window saying that it had refused a file permission to run. Real cool stuff and it saved me just when I needed it most.

    Dave
     
Thread Status:
Not open for further replies.