Re: [Full-Disclosure] Sears Scam Trojan Code

Hi,

Using notepad I stripped all of the chars away from the hex, then pasted it
into a hex editor and saved it as an executable. There is probably some
blatant reason why this wont work, but I don't know why - so the executable
doesn't actually run, but I still extracted the following information.

When you click open, the HTA script extracts an executable to:
[SystemRoot]\System32\usb_d.exe

The script does some other things too..

usb_d.exe is a UPX packed executable of 24769 bytes (MD5:
32618578cedbfe8b73bbf975e23be1fc) - [info for my broken PE]

It appears to be a VisualC++ application.

When I try to debug the exe, ntvdm.exe is loaded instead (because the PE is
broken)...

Please post full details when you analyze this file, I will be very
interested to know how you do it properly.

Have a great Christmas all,
         Richard Maudsley

[HEX DUMP ATTACHED]

At 25/12/2003, you wrote:
>I received an email today claiming I've won a $100 gift certificate to
>Sears and must press 'open' when prompted to enter shipping
>information. The dialog is a standard save or open dialog for the file
>page.hta. Not being a programmer, I was simply wondering what the content
>of page.hta actually does. I've attached the file as page.txt for anyone
>who wishes to find out; perhaps the results will be interesting. Page.hta
>can be found at <http://radnorthgm.com/special/>http://radnorthgm.com/special/.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html