I ran into an older peice of malware today, but something didn't make sense so I'm searching for a few theories. It was detected by CA's Inoculate as VBS/Gedza.A!Worm, contained within a file named adjust.html off the root of psychologynet.org (it's still there if you want a copy).

Since the VB script is in the clear, it's intentions are pretty obvious; not to mention the existing documentation by Trend Micro (VBS_GEDZA.A) and Symantec (VBS.Gaggle.D). What I found interesting was that the specimen found today was largely incomplete, about a quarter of the code is truncated. The closing tag is missing and the page ends in the middle of initializing a variable named src without the closing quotation.

So, nothing inherently dangerous, but very odd. Here are a few theories, I was wondering if anyone had any others which might explain things:

• the server was infected by Gedza, it started to execute but was terminated prematurely by a (poor) real-time anti-virus or user
• the file was "cleaned" by an anti-virus, but it only removed the section which contained it's signature (yet left enough that CA's product could still detect it)
• the file was "cleaned" manually by an administrator but they forgot to finish
• Gedza's file infection routine has a bug and only appends part of itself to it's targets

It's interesting that none of the other html files on psychologynet.org that I sampled had this code appended, yet according to the code it infects all *.html on the drive. Maybe this particular file was restored from another server that had been infected with Gedza. I guess it's impossible to know the truth, but entertaining to theorize about nonetheless.