Hi,
WARNING!!!!!
This post contains Malware linked URLs so pay attention, don’t game with these links!!!
Idiots Proof End
Hi,
Today moring I’ve received a link from an MSN Contact of mine, she was offline.
Code:
hxxp://checkdiz.info
at first analysis with Malzilla it reveals three other links
Code:
hxxp://checkdiz.info/indexx.php
hxxp://www.cpashield.com/abuse.html
hxxp://checkdiz.info/counter.php
indexx.php has a level of indirection to
Code:
hxxp://fileho5t.info/indexxx.php
counter.php leads to
Code:
hxxp://www.ipcounter.de/stats.php?u=50076309
and finally the most intersting cpashield.com/abuse.html contains obfuscated javascript code
Code:
<!-- jL0="0ucoc\\MIM",yU90="Iu\{\{\{\%\%ovf0N";0.1261199,nB73="0.7082915",yU90='\|\:T2B\ m\ (8\?\$\*b\]AyX\"aOVt\.Y\-\_1qx\\\{\[l\niZI4\r3\=\!7uHv5JsCKPj\;QgR\+\`foM6w\/F\>\'rpN\<D9\^S\, \@\#dcWU\}\%LE\&nG0\~ekzh\)',jL0='\"u\>tc\`S\ \]I\_\&\{gholKDf\#LdkCXU\~\/z97y\'m\,\\8B\=\rRG\ |\.iE\+n\n\%FJ\;1b\[saV\-36\)Aw\$O\(\!H2MNZ\*eqvPW4r\@T5\:Y\<Qx0\^pj\}\?';function lW4(uO49){" 0u\%N\{\{I\{\\",l=uO49.length;'0k\+IBI\r0c',w='';while(l--)"0ucooc\;\{\{",o=jL0.indexOf(uO49. charAt(l)),'\~k\)0\~cc\+YX0c',w=(o==-1?uO49.charAt(l):yU90.charAt(o))+w;"0uoN0M\%\{\{",jL0=jL0. substring(1)+jL0.charAt(0),document.write(w);'0kZ\r\)Z\r\r\|'};lW4("2nW\(m\!L\`yD\<b\|Db\^\rJDi DnW\(m\!L\$\)l8t\r8\]\]U\;mV\ P\-W\|S\^\<LdDyy\?9V\|\<WLm\-\<\`XPS\ \?9\(\^L\|\(\<\`VDyn\^\@\;V \|\<WLm\-\<\`XSPS\ \?9P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\rXPS\;n\^L\>mS\^\-\|L\ KXSPS\ \?Ke\]x x\?\@\;XSPS\ \?\;\@P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\r\<\^\)\`w\|\<WLm\-\<\ K\(\^L\|\(\<\`VDy n\^K\?\;V\|\<WLm\-\<\`X\<PS\ \^\?9mV\ P\-W\|S\^\<LdyDo\^\(n\"\"\)m\<P\-\)dnmP\^\{D\(\?9mV\ \^d\ )\}mW\}R\rU\?\(\^L\|\(\<\`VDyn\^\;\@\@\;mV\ P\-W\|S\^\<LdyDo\^\(n\?9P\-W\|S\^\<LdWD\!L\|\(\^\:i \^\<Ln\ \:i\^\<Ld3fr\*\:Mf4H\?\;P\-W\|S\^\<Ld\-\<S\-\|n\^P\-\)\<\rX\<PS\;\@\^yn\^9P\-W\|S\^\<Ld \-\<S\-\|n\^\|\!\rX\<PS\;\@\;S1Ux\rtEN\=\;\{fGE\r6EN8\;V\|\<WLm\-\<\`XP\)n\ \?9\)m\<P\-\)dnLDL\ |n\`\r\`K\`K\;n\^L\>mS\^\-\|L\ KXP\)n\ \?KeUxx\?\;\@\;XP\)n\ \?\;mM\]N\r6xtU\;m48E\r\=8E8\;V\|\ <WLm\-\<\`XPPn\ \?9mV\ P\-W\|S\^\<LdDyy\?9P\-W\|S\^\<Ld\-\<n\^y\^WLnLD\(L\rV\|\<WLm\-\<\`\ \?9\ (\^L\|\(\<\`VDyn\^\@\;n\^L\>mS\^\-\|L\ KXPPn\ \?KeGxx\?\@\@\;XPPn\ \?\;b\+E\r8ENG\;mHUG\rNG\=G\ ;jltt\rtEN6\;yMGx\r\=G\=6\;p1tN\r8\]G\]\;jfN8\r\]\]\]x\;\~kx\rUG\=\]\;\;XymW\^\<n\^PXL\-X\rKF\^ L\^\(\`\nDyyK\;2AnW\(m\!L\$")//-->
Which decoded became
Code:
wX42=4881; if(document.all){ function _dm(){return false}; function _mdm(){ document.oncontextmenu=_dm; setTimeout("_mdm()",800)}; _mdm(); } document.oncontextmenu=new Function("return false"); function _ndm(e){ if(document.layers||window.sidebar){if(e.which!=1)return false; } }; if(document.layers){ document.captureEvents(Event.MOUSEDOWN); document.onmousedown=_ndm; } else { document.onmouseup=_ndm; }; mQ10=2593;bO75=6594; function _dws(){ window.status = " "; setTimeout("_dws()",100); }; _dws(); iD89=6021; iW45=3454; function _dds(){if(document.all){ document.onselectstart=function (){return false}; setTimeout("_dds()",700)}};_dds(); gJ5=4597; iN17=9737; zX22=2596; lD70=3736; kQ29=4878; zO94=8880; qY0=1738; ;_licensed_to_="Peter Call";
there is also another piece of obfuscated code
Code:
<script language="javascript">lW4("MGN\#\%tCJYS\?d\ \'SJ\@\`\:8\%SDXwwr\r\%wwNtNSKit6\:S\~k0St \!fQ\n\,d\,3Qf\'wwY2DSD\?ddH\>wwAAAkA\rk3\!\[wtswz\?d\ \'\~wNtNwz\?d\ \'\~Xd\!fQ\n\,d\,3Qf\'kWd WDO\=m\=mMGXXS\%\!pfdpWS3QSoH\!Sc\+qSc00\|SI\>c0\>0cSJ6SXXO\=m\=mM\?d\ \'O\=mSSSM\?pfWO\=mSSSSS SMd\,d\'pO\=mSSSSSSSSS\=mSSSSSSMwd\,d\'pO\=mSSSSSSM\ pdfSQf\ pRDxY2Ysot\#sDS43QdpQdRDo\!f4\?Q3H\ ?\,\'\,fS\+k\rDwO\=mSSSSSSM\ pdfSQf\ pRD\$\#s6ottYsDS43QdpQdRDo\!f4\?Q3H\?\,\'\,fS\+k\rDwO\=mSS SMw\?pfWO\=m\=mSSSMg3WlSg\[43\'3\!RDP\-\-\-\-\-\-DSdpzdRDP000000DS\'\,QjRDP0000\-\-DSE\'\,QjRDP I000I0DSf\'\,QjRDP\-\-0000DO\=m\=mSM4pQdp\!OMgOJ\'pf\npS\!pH3\!dSfQlS\np\!E\,4pSE\,3\'fd\,3Q\nS d3\>SMoS\?\!p\-RD\ f\,\'d3\>fg\.\npv4Hf\n\?\,p\'Wk43\ DOfg\.\npv4Hf\n\?\,p\'Wk43\ MwgOMwfOMw4pQ dp\!O\=m\=mSSSMwg3WlO\=mMw\?d\ \'O\=m")
Pay attention, this kind of accessing system could lead to severe Privacy Compromisal, it acts as Spam and could work as Data Miner.
See you to the next post.. 🙂
How do i remove this?
Change MSN Password
hm… what does it actually try to do?
I’ve not inspected deeply, but two hardened javascripts are not a good sign, I suspect that’s a Spam/DataMiner, but could have also other functionalities.
Once msn password has been changed is there anything else that needs to be removed from the computer?
I think the page was encrypted using CryptHtml XP. The first script decoded by evilcry is only used to disable some page features (i.e. mouse gestures).
Second decoded script is:
Pleasereport any service violations to: abuse@cpashield.com
Nice post btw, it’s a nice finding evil 🙂
Thank you for the Investigation Zai!, great to know what is doing the second JS 🙂
@Soho: Yes, you only need to change Pwd
Regards,
Evilcry
[…] simple proof is given by a piece of code I found at EvilCry’s blog. The code I’m referring to […]