jump to navigation

HTML virus January 22, 2007

Posted by endare in virus.
trackback

HTML Viruses

Introduction
============

A new class of viruses has recently appeared that utilize the VBScript
scripting language to infect web pages. While these viruses are causing a lot
of worry, they are not as dangerous, as some would have you believe, for two
reasons:

1. In order for the virus to infect other pages, it must be run from a
local copy of the infected web page. That is, instead of viewing a web
page on a web server, you must first download it to your machine and
then view the local copy. This is necessary for the virus to get a copy
of itself to attach to another web page.

2. The Scripting Run-time Library must be installed on your system. The
Scripting Run-time Library contains the File System Object which is what
VBScript uses to access the local file system. Without that object,
a VBScript script cannot access files on the local system. The Scripting
Run-time Library is currently shipped with the Internet Information
Server (IIS) module of the Windows NT 4 Server operating system and the
Windows Scripting Host.


Virus Operation
===============

The VBScript scripting language was developed by Microsoft as a competitor to
JavaScript for automating web pages. The language is a variant of the Visual
Basic for Applications computer language that is built into several Microsoft
applications. Because VBScript was designed to run on the web client, the
language was intentionally handicapped to make it impossible to damage a
person’s system using a script. Thus, VBScript has no commands for accessing
memory or the file system. JavaScript is handicapped in much the same way.

Newer uses of VBScript include Active Server Pages and the Windows Scripting
Host. Active server pages are a part of the IIS which allow web pages to be
generated on the fly on a web server. This capability is especially useful
when a web page is to include content from a database. Because this package
runs server programs on the server, it does not need the protections that
VBScript on a client’s machine does. The Scripting Run-time Library containing
the File System Object is included with Active Server Pages to give VBScript
running on the server the ability to access files on the server’s file system.

The HTML class of viruses make use of the fact that the scripting engine on a
server can access the file system and can only operate on a system that has
the File System Object installed. They need access to the file system to
replicate and to attack a computer (delete or change files).

The scripting run-time library is normally only installed on Windows NT 4
Servers running the IIS. It is not normally installed on Windows NT 4
workstations because it is not normally needed; but it can be installed as
part of the Windows Scripting Host.


How Do I Find Out If I Am Vulnerable?
=====================================

To see if you are vulnerable to the html virus, copy the following web page
into a file named fstest.htm and open it with Internet Explorer. If Internet
Explorer displays an “Internet Explorer Script Error” dialog box with the
error “Active-X component can’t create object: ‘CreateObject’”, the Scripting
Run-time Library is not installed and you are not vulnerable. If Internet
Explorer puts up a Security Alert indicating that “An Active-X control on this
page may be unsafe…”, the Scripting Run-time Library is installed and you
are vulnerable. If you click Yes, the code runs and lists all the files in
your root file system on the web page.

——–cut here——–

listing
This web page will list the files in your root directory if the
Scripting Run-time Library is installed and registered. If it is not
installed and registered, this web page generates a script error.
Files In The Root Directory ()

  

——-Cut Here——

The script operates by creating a file system object, selecting the root
directory, getting the list of files in the root directory, and then printing
them in the body of the web page.

Another way to check for the vulnerability is to see if the scripting run-time
library is on your system. On a Windows NT 4 system, look for the file:

$WINDIRsystem32scrrun.dll

where $WINDIR is typically c:winnt If this file exists on your system, your
system may be vulnerable to the html virus. Note that the library must be both
on your system and registered in the registry to be used by a script or html
virus.


Protecting Against the HTML Virus
=================================

If you are not using Active Server Pages or the Windows Scripting Host, you do
not need the Scripting Run-time Library. If you are using active server pages,
but are not accessing local files, you also do not need the Scripting Run-time
Library. You can remove the Scripting Run-time Library and protect a system by
moving the file:

$WINDIRSystem32scrrun.dll

onto a floppy disk. Save this copy in case you need to reinstall it at a
future date (see below).

If you need the Scripting Run-Time Library, you will have to be careful what
you load onto your system.

1. Have up-to-date antivirus software running.
2. Be careful running web pages that you have downloaded to your computer.
3. If you get the Security Alert about running an unsafe Active-X control
on the current page, do not click Yes to go ahead and run the control.
Open the page with a text editor first to see what is causing the alert.


Reinstalling The Scripting Run-Time Library At A Later Date
===========================================================

If after removing the scrrun.dll library file you find that you need to
restore the Scripting Run-time Library, you must:

1. Copy the file back into the $WINDIRsystem32 directory.
2. Register the library by typing the following command in a DOS window.

$WINDIRsystem32regsvr32.exe $WINDIRsystem32scrrun.dl
Advertisements

Comments»

1. rahmat - October 3, 2007

endare mantap banget yang anda muat, Saya saangat suka..! boleh minta email anda dan kalo anda izinkan bolehkah saya belajar dari anda..?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: