Re: .hta virus analysys

[madsaxon <madsaxon () direcway com>]

> bryce <lord_ph () comcast net> wrote:
>
> > I'm new to this list, and sorta new to security on a computer. But can
> > someone tell me what program runs a .hta file??

Sigh.  Since no one else seems inclined actually to answer this
question, I'll do it.

In a (pea)nutshell, Microsoft Internet Explorer is the
application by which .hta files are designed to be
interpreted.  However, any browser that understands the
syntax (e.g., Netscape) can in theory handle them.

They provide functionality above and beyond HTML; they were
originally supposed to supply designers with a way of
prototyping Web-based applications that employ dynamic
HTML, and thus would never be present in a production system.
In reality, they get used for a lot of producation purposes: 
password/access control lists, triggering helper applications
such as Office components, and in fact for launching just
about any local program while providing a simple user
interface similar to the password entry box included
with most browsers. Convenient, and quite nasty if misused.

Hopefully this brief overview will make it obvious to
you what a serious security risk these files represent, and how
laughably easy it was (is) to use them as a vector for malware.

m5x

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html