Bugtraq mailing list archives

Re: New auto download / install / exploit URL?

From: Hermann Arens <hermi () rz-online de>
Date: Wed, 27 Apr 2005 21:35:57 +0200

joke0 wrote:

In-Reply-To: <BE8F2DE1.1B07C%gandalf () digital net>

Hi,

Gandalf The White:

Someone want to take the time to decode?


Not so easy, but done.

The decrypted result of this hta leads to an intermediate javascript code (not provided here). Once this one is 
decrypted too, we get the HTA, pasted below.

Explanations on what the code does are welcome ;-)



Hi,
it installs a browser helper object that loads this psde.exe file from
the russian server, right?
Unfortunately, the file isn´t available yet (because the domain isn´t
connected), has anyone this file?
Is it a known trojan horse?

Hermann

Attachment: hermi.vcf
Description:

Current thread:

New auto download / install / exploit URL? Gandalf The White (Apr 23)
- <Possible follow-ups>
- RE: New auto download / install / exploit URL? Geoff Vass (Apr 25)
- Re: New auto download / install / exploit URL? joke0 (Apr 26)
  - Re: New auto download / install / exploit URL? Hermann Arens (Apr 28)
    - Re: New auto download / install / exploit URL? Nicob (Apr 28)