Hello and welcome to the Monday, May 22nd, 2003 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We got a couple interesting diaries from this weekend to talk about.

First, a third part to DDA's analysis of an HTA file.

Last episode, DDA ended up with a bad file that now is being analyzed further.

This bad file turned out to be heavily base 64 encoded.

So DTDA had to work past that and shows a couple tricks how to improve the decoding here

until, well, he finally ends up with a PowerShell script and from there with some dotnet code as well.

So as usual with Didier's Diaries, great material for any reverse analysis person here to

walk through it and hopefully learn from it. So with it hackers using all these different encodings,

the question of course is how do attackers get it right? After all, as you can see in DDA's diary,

it's not always easy to decode all of these different encoding types.

Well, the answer comes from Xavier in an earlier diary.

Xavier has an example where the attacker actually didn't get the encoding right.

It looks sort of like a UTF8 versus UTF16 confusion here. When you look at the email, you're seeing what

appears to be sort of Chinese characters, but while it's just badly encoded, which is why

Outlook doesn't properly display the email.

So luckily nothing to worry about.

Of course, attackers will eventually fix the encoding issue,

and the email may give you a little heads up as to what email to expect next.

And more problems for Pi Pi, the Python module registry.

Apparently, they are now getting so many malicious registrations for new accounts and new projects

...