I was looking through some suspicious files last night, I am way behind on this so this information, while interesting, may be a little dated.

Through my travels I had discovered a web site that was using the RDS DataSpace object to download and execute virus code on unsuspecting visitors. I was curious about the downloaded executable so I grabbed it and the web page for further review. The downloaded file was named vnn.exe on the server, which was identified as W32.Imaut.S worm by Symantec.

[More:]

I looked at the strings contained in the executable and I noticed this:

What I found the most interesting was the description field - AutoIt 3. It turns out that vnn.exe is an executable AutoIt script. I went to their site and downloaded the newest version of AutoIt and installed to see if I could get the script from the vnn.exe. Using the included script decompiler, I was able to decompile the script.

[Note: I removed web addresses]

The first thing the script does is to check if there is a copy of itself in the windows directory. If the file is not there then it down loads itself to that directory.

Next it updates a bunch of registry keys to turn of the taskmanager, disable regedit, set IE's homepage / startpage / and title, change some Yahoo Pager settings and set itself to auto start with every reboot.

Now the script creates a string array that it will use to get people to click the link to the website hosting the executable. Some social engineering happening here, just look at the title used by the link.

Now the script looks for Yahoo messenger so it can propigate by sending the faked links to folks.

I tested the web page with a patched Win 2000 and a patched Win XP machine - IE 6.0 / IE 7 and no AV running. The file was not downloaded to either machine. Then I restarted my AV and tried accessing the page again and my AV detected the page as Psyme and removed it.

So, always keep your machines patched and virus proctection up to date.