Encrypted javascript on probable virus page

Encrypted javascript on probable virus page
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Anti-Virus Software    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Encrypted javascript on probable virus page Roy Carin 07-31-2007
Posted by Roy Carin on July 31, 2007, 2:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I received a spam e-mail that linked here: http://75.74.217.174/?aabb

(The query string is not literal.)

I've already submitted ecard.exe to the ClamAV, but the encrypted
javascript on that page confuses me.

The script element is a single 27-thousand byte line. I'm not a
javascript programmer, but I'm thinking of ways to get Perl to
interpret/unencrypt that.

If you are more knowledgeable about this, please help crack open that
script block if you can.



Posted by Roy Carin on July 31, 2007, 4:01 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On 07/31/2007 01:06 PM, Roy Carin wrote:
> I received a spam e-mail that linked here: http://75 ... 74 ... 217 ...
174/?aabb
>
> (The query string is not literal.)
>
> I've already submitted ecard.exe to the ClamAV, but the encrypted
> javascript on that page confuses me.
>
> The script element is a single 27-thousand byte line. I'm not a
> javascript programmer, but I'm thinking of ways to get Perl to
> interpret/unencrypt that.
>
> If you are more knowledgeable about this, please help crack open that
> script block if you can.
>
>

I deeply apologize for posting that link unobfuscated.

The first stage of decoding reveals the javascript to be a Windows
Video/Active X exploit. Somehow Winzip is involved, and there is another
block of encoded or binary text in the script.


Posted by Ant on July 31, 2007, 9:10 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
"Roy Carin" wrote:

>> I received a spam e-mail that linked here: http://75 ... 74 ... 217 ...
174/?aabb
>>
>> (The query string is not literal.)

What do you mean "not literal"?

If I use that string I get the script. If I omit the string I don't.
In both cases I get the "click here" text to manually download
ecard.exe.

> The first stage of decoding reveals the javascript to be a Windows
> Video/Active X exploit. Somehow Winzip is involved, and there is another
> block of encoded or binary text in the script.

It's several exploits designed to automatcally download and run a
small executable (file.php). The encoded binary is executable code
which is injected to take advantage of buffer overflows caused by the
exploits.

file.php will try to download gop.exe from the same site. That file
is giving a 404, but I suspect the end result would be to download
and run ecard.exe and who knows what else.

ecard.exe is packed/encrypted with a method I'm not familiar with, so,
from a static analysis, it's not obvious what it will do.



Posted by Roy Carin on August 1, 2007, 8:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 07/31/2007 08:10 PM, Ant wrote:
> "Roy Carin" wrote:
>
>>> I received a spam e-mail that linked here: http://75 ... 74 ... 217 ...
174/?aabb
>>>
>>> (The query string is not literal.)
>
> What do you mean "not literal"?
>

Originally, the query string was longer, and I suspect that it contained
my e-mail address encrypted.

> If I use that string I get the script. If I omit the string I don't.
> In both cases I get the "click here" text to manually download
> ecard.exe.
>
>> The first stage of decoding reveals the javascript to be a Windows
>> Video/Active X exploit. Somehow Winzip is involved, and there is another
>> block of encoded or binary text in the script.
>
> It's several exploits designed to automatcally download and run a
> small executable (file.php). The encoded binary is executable code
> which is injected to take advantage of buffer overflows caused by the
> exploits.
>
> file.php will try to download gop.exe from the same site. That file
> is giving a 404, but I suspect the end result would be to download
> and run ecard.exe and who knows what else.
>

When I downloaded from file.php, I got a file called file.exe which
contained Trojan.Downloader-10773.

> ecard.exe is packed/encrypted with a method I'm not familiar with, so,
> from a static analysis, it's not obvious what it will do.
>
>

My ClamAV (0.90.2) says that ecard.exe is clean, but I know that can't
be true.

Anyway, the site is down right now.



Posted by on August 31, 2007, 5:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Fancy more ???

http://66.117.215.142/

javascript decodes to activex that downloads sony.exe this time...
The link on the page points to video.exe

diff video.exe sony.exe reveals that both files are identical.

dunno how much time the site will remain up... I downloaded binaries
so I can work off line...

cheers

> On 07/31/2007 08:10 PM, Ant wrote:
>
> > "Roy Carin" wrote:
>
> >>> I received a spam e-mail that linked here:http://75... 74 ... 217 ...=
174/?aabb
>
> >>> (The query string is not literal.)
>
> > What do you mean "not literal"?
>
> Originally, the query string was longer, and I suspect that it contained
> my e-mail address encrypted.
>
>
>
>
>
> > If I use that string I get the script. If I omit the string I don't.
> > In both cases I get the "click here" text to manually download
> > ecard.exe.
>
> >> The first stage of decoding reveals the javascript to be a Windows
> >> Video/Active X exploit. Somehow Winzip is involved, and there is anoth=
er
> >> block of encoded or binary text in the script.
>
> > It's several exploits designed to automatcally download and run a
> > small executable (file.php). The encoded binary is executable code
> > which is injected to take advantage of buffer overflows caused by the
> > exploits.
>
> > file.php will try to download gop.exe from the same site. That file
> > is giving a 404, but I suspect the end result would be to download
> > and run ecard.exe and who knows what else.
>
> When I downloaded from file.php, I got a file called file.exe which
> contained Trojan.Downloader-10773.
>
> > ecard.exe is packed/encrypted with a method I'm not familiar with, so,
> > from a static analysis, it's not obvious what it will do.
>
> My ClamAV (0.90.2) says that ecard.exe is clean, but I know that can't
> be true.
>
> Anyway, the site is down right now.- Masquer le texte des messages pr=E9c=
=E9dents -
>
> - Afficher le texte des messages pr=E9c=E9dents -



Similar ThreadsPosted
Virus Prevents me from going to google.com page June 7, 2008, 12:25 am
Alfacleaner, and another virus inserts random URL into "Home Page" form fields April 14, 2006, 2:40 pm
Multiply encrypted scripts August 2, 2007, 2:49 pm
What is this web page? May 23, 2008, 5:09 pm
Trojan.Start Page January 21, 2007, 8:45 pm
H in upper left corner of web page and nothing else? September 14, 2005, 1:52 am
UNABLE TO CHANGE HOME PAGE ....PLZ HELP ME.... January 13, 2007, 12:53 pm
Re: IE has flaw of doom (All you have to do is visit a buggy page) November 26, 2005, 9:26 am
Kaspersky - AVP .... Update causes "invalid page fault" May 1, 2006, 1:59 am
strange error message on opening page October 5, 2008, 11:15 am

The site map in XML format XML site map

Contact Us | Privacy Policy