By visiting a prepared webpage a HTA
application is run on the client machine. The
Visual Basic script (TrojanDownloader.VBS.Iwill.b)
embedded in the HTA application will download a
file named "S.EXE". S.EXE (size 1.199 bytes)(Not
detected by AVP on september 18, 2003) will
download and execute following server:
c:WINDOWSTEMPMSCONFIG.EXE (OptixLite 5.0 server
aka Backdoor.Delf.em)
