Author Topic: Uses Windows Script File instead of JavaScript..  (Read 4659 times)

0 Members and 1 Guest are viewing this topic.

May 02, 2009, 07:56:15 pm
Read 4659 times

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
porno-master.biz/muv/muv_m/08.html

Looks like your standard Zlob HTML, but rather than an executable payload it is a windows scripting file.

porno-master.biz/datafeeder/get_file.php       JS:Agent-EL

This file is encoded but can be decoded relatively easily.


The scripts will be too big to be posted in code tags so I have attached the encoded and decoded versions for you. There is an embedded file, HexZone / RansomWare I think, probably a DLL.

May 02, 2009, 08:54:53 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Copied the hex to Malzilla > saved to .bin file and ......
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 02, 2009, 09:06:10 pm
Reply #2

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Referenced URL's;

porno-master.biz/porno/img/new/1.gif
porno-master.biz/porno/img/new/1a.gif
porno-master.biz/porno/img/new/2.gif
porno-master.biz/porno/img/new/2a.gif
porno-master.biz/porno/img/new/3a.gif
porno-master.biz/porno/img/new/4a.gif
porno-master.biz/porno/img/new/5.gif
porno-master.biz/porno/img/new/5a.gif
porno-master.biz/porno/img/123.gif
porno-master.biz/porno/sms/sms.php
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 04, 2009, 04:00:47 pm
Reply #3

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Three more sites that are the same:


pornomaster.biz/muv/muv_d/15.html
redxporno.com/muv/muv_j/07.html
sexvideorussia.com/muv/muv_main/vid6.html


This shows what the malware does:
http://translate.google.co.uk/translate?hl=en&sl=ru&u=http://notes.rudomilov.ru/2008/11/28/informer-ie/&ei=HxD_SabCGtrRjAeAz_SoAw&sa=X&oi=translate&resnum=4&ct=result&prev=/search%3Fq%3D%2522free%2Bporno%2Bvideo%2522%2Binformer%26hl%3Den


Judging by the way it functions bringing a box on top of the page asking you to send an SMS to remove the software, it sounds like the "Adware Monster" malware: http://translate.google.co.uk/translate?hl=en&sl=ru&u=http://xakepy.cc/showthread.php%3Ft%3D36821&ei=2Qb_SfTyBM7KjAf16K2mAw&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3D%2522Adware%2BMonster%2522%2B1.2%26hl%3Den

Quote
" + This function is designed to display a window with any of your content on top of all windows (banners, text, please send an SMS to the desired number to get a code to remove the software, etc.). Закрыть, сдвинуть, убрать окно нельзя. Close, move, remove the window can not be. "

May 04, 2009, 08:17:20 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Interesting technique.

The url *domainname*/datafeeder/get_file.php contains a JScript.
This jscript decodes an obfuscated javascript.
The coded script is another Jscript which drops a Browser Helper Object.

If you remove the xml and the jscript tags then Wepawet can decode the obfuscation.


http://wepawet.cs.ucsb.edu/view.php?hash=348143135b362028dbcdb73451537f00&type=js

detection of the original get_file.php
http://www.virustotal.com/analisis/d7a6a7a05310e6d256106c9a13b72283 2/40
Ruining the bad guy's day

May 05, 2009, 07:59:58 am
Reply #5

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Mercutio has added detection for this threat.

You can now decode those files without modification

Code: [Select]
hxxp://sexvideorussia.com/datafeeder/get_file.phphttp://wepawet.cs.ucsb.edu/view.php?hash=8386ae4f132d1f6cb8dbeb33f2ec3b45&t=1241489398&type=js
Code: [Select]
hxxp://redxporno.com/datafeeder/get_file.phphttp://wepawet.cs.ucsb.edu/view.php?hash=1d65ad25f5f25a99b2ea90deaaa8b575&t=1241489381&type=js
Code: [Select]
hxxp://pornomaster.biz/datafeeder/get_file.phphttp://wepawet.cs.ucsb.edu/view.php?hash=066ea71e935531e137615350b2f0da87&t=1241489152&type=js
Ruining the bad guy's day