I got a piece of spam in my mailbox this evening. It had two attachments, a JPEG, and a file called Info.hta.
Out of curiosity, I peeked inside the oh-so-obvious "Microsoft Extended" HTML file (Base64 encoded, of course). It contained a <SCRIPT LANGUAGE="VBScript"> block which created a file on the filesystem called qq.vbs. The contents of this VBScript file contain a program that includes an array of byte values, and a program to write those 38206 byte values into a file called bbbs.exe.
So the HTML page writes out a VBScript program, and executes that program. The VBScript program drops a binary on the filesystem and executes that. There must be some "security setting" in the VBScript engine to not directly execute a .exe file. And of course, no one would abuse the one ability of VBScript programs to write files to the file system, and the other ability of a VBScript program to load a VBScript program on the filesystem.....
I don't usually inspect the virus spam I get. But now, I can't help but wonder, is this the Windows script kiddie equivalent of perl golf and printing Just Another Perl Hacker?
There must be some "security setting" in the VBScript engine to not directly execute a
