Re: Javascript exploit

"David H. Lipman" wrote:

From: "Ant" <not@xxxxxxxxxx>
| The file may end up as Uninstall.exe, Uninstall0.exe, NTDETECT.EXE or
| [6 random digits].exe, and is downloaded from here:

Yes, and it places a copy of the EXE in;
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

such as...
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\uninstall.exe

It will try to create the other names elsewhere if the above fails:

Random numeric exe in c:\recycler, or user's temp directory.
Random numeric exe prefixed with "sys" in root of current drive.
ntdetect.exe in c:\ (the genuine MS ntdetect has a .com extenstion).

Did you use a test machine or were you able to deobfuscate the
Javascript? It's not as straightforward as some and, apart from being
multiply encoded, will come out as garbage if you're unaware of the
little trick the author used.