Encrypted javascript on probable virus page

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I received a spam e-mail that linked here: http://75.74.217.174/?aabb

(The query string is not literal.)

I've already submitted ecard.exe to the ClamAV, but the encrypted
javascript on that page confuses me.

The script element is a single 27-thousand byte line. I'm not a
javascript programmer, but I'm thinking of ways to get Perl to
interpret/unencrypt that.

If you are more knowledgeable about this, please help crack open that
script block if you can.



Re: Encrypted javascript on probable virus page

On 07/31/2007 01:06 PM, Roy Carin wrote:
Quoted text here. Click to load it

I deeply apologize for posting that link unobfuscated.

The first stage of decoding reveals the javascript to be a Windows
Video/Active X exploit. Somehow Winzip is involved, and there is another
block of encoded or binary text in the script.


Re: Encrypted javascript on probable virus page

"Roy Carin" wrote:

Quoted text here. Click to load it

What do you mean "not literal"?

If I use that string I get the script. If I omit the string I don't.
In both cases I get the "click here" text to manually download
ecard.exe.

Quoted text here. Click to load it

It's several exploits designed to automatcally download and run a
small executable (file.php). The encoded binary is executable code
which is injected to take advantage of buffer overflows caused by the
exploits.

file.php will try to download gop.exe from the same site. That file
is giving a 404, but I suspect the end result would be to download
and run ecard.exe and who knows what else.

ecard.exe is packed/encrypted with a method I'm not familiar with, so,
from a static analysis, it's not obvious what it will do.



Re: Encrypted javascript on probable virus page

On 07/31/2007 08:10 PM, Ant wrote:
Quoted text here. Click to load it

Originally, the query string was longer, and I suspect that it contained
my e-mail address encrypted.

Quoted text here. Click to load it

When I downloaded from file.php, I got a file called file.exe which
contained Trojan.Downloader-10773.

Quoted text here. Click to load it

My ClamAV (0.90.2) says that ecard.exe is clean, but I know that can't
be true.

Anyway, the site is down right now.



Re: Encrypted javascript on probable virus page

Fancy more ???

http://66.117.215.142 /

javascript decodes to activex that downloads sony.exe this time...
The link on the page points to video.exe

diff video.exe sony.exe reveals that both files are identical.

dunno how much time the site will remain up... I downloaded binaries
so I can work off line...

cheers

Quoted text here. Click to load it



Site Timeline