Uses Windows Script File instead of JavaScript..

[JohnC]

porno-master.biz/muv/muv_m/08.html

Looks like your standard Zlob HTML, but rather than an executable payload it is a windows scripting file.

porno-master.biz/datafeeder/get_file.php       JS:Agent-EL

This file is encoded but can be decoded relatively easily.


The scripts will be too big to be posted in code tags so I have attached the encoded and decoded versions for you. There is an embedded file, HexZone / RansomWare I think, probably a DLL.

[MysteryFCM]

Copied the hex to Malzilla > saved to .bin file and ......

[MysteryFCM]

Referenced URL's;

porno-master.biz/porno/img/new/1.gif
porno-master.biz/porno/img/new/1a.gif
porno-master.biz/porno/img/new/2.gif
porno-master.biz/porno/img/new/2a.gif
porno-master.biz/porno/img/new/3a.gif
porno-master.biz/porno/img/new/4a.gif
porno-master.biz/porno/img/new/5.gif
porno-master.biz/porno/img/new/5a.gif
porno-master.biz/porno/img/123.gif
porno-master.biz/porno/sms/sms.php

[JohnC]

Three more sites that are the same:


pornomaster.biz/muv/muv_d/15.html
redxporno.com/muv/muv_j/07.html
sexvideorussia.com/muv/muv_main/vid6.html


This shows what the malware does:
http://translate.google.co.uk/translate?hl=en&sl=ru&u=http://notes.rudomilov.ru/2008/11/28/informer-ie/&ei=HxD_SabCGtrRjAeAz_SoAw&sa=X&oi=translate&resnum=4&ct=result&prev=/search%3Fq%3D%2522free%2Bporno%2Bvideo%2522%2Binformer%26hl%3Den


Judging by the way it functions bringing a box on top of the page asking you to send an SMS to remove the software, it sounds like the "Adware Monster" malware: http://translate.google.co.uk/translate?hl=en&sl=ru&u=http://xakepy.cc/showthread.php%3Ft%3D36821&ei=2Qb_SfTyBM7KjAf16K2mAw&sa=X&oi=translate&resnum=6&ct=result&prev=/search%3Fq%3D%2522Adware%2BMonster%2522%2B1.2%26hl%3Den

" + This function is designed to display a window with any of your content on top of all windows (banners, text, please send an SMS to the desired number to get a code to remove the software, etc.). Закрыть, сдвинуть, убрать окно нельзя. Close, move, remove the window can not be. "

[SysAdMini]

Interesting technique.

The url *domainname*/datafeeder/get_file.php contains a JScript.
This jscript decodes an obfuscated javascript.
The coded script is another Jscript which drops a Browser Helper Object.

If you remove the xml and the jscript tags then Wepawet can decode the obfuscation.


http://wepawet.cs.ucsb.edu/view.php?hash=348143135b362028dbcdb73451537f00&type=js

detection of the original get_file.php
http://www.virustotal.com/analisis/d7a6a7a05310e6d256106c9a13b72283 2/40

[SysAdMini]

Mercutio has added detection for this threat.

You can now decode those files without modification

Code: [Select]

hxxp://sexvideorussia.com/datafeeder/get_file.phphttp://wepawet.cs.ucsb.edu/view.php?hash=8386ae4f132d1f6cb8dbeb33f2ec3b45&t=1241489398&type=js

Code: [Select]

hxxp://redxporno.com/datafeeder/get_file.phphttp://wepawet.cs.ucsb.edu/view.php?hash=1d65ad25f5f25a99b2ea90deaaa8b575&t=1241489381&type=js

Code: [Select]

hxxp://pornomaster.biz/datafeeder/get_file.phphttp://wepawet.cs.ucsb.edu/view.php?hash=066ea71e935531e137615350b2f0da87&t=1241489152&type=js