Hi,
WARNING!!!!!
This post contains Malware linked URLs so pay attention, don’t game with these links!!!
Idiots Proof End
Hi,
Today moring I’ve received a link from an MSN Contact of mine, she was offline.
Code:
hxxp://checkdiz.info
at first analysis with Malzilla it reveals three other links
Code:
hxxp://checkdiz.info/indexx.php
hxxp://www.cpashield.com/abuse.html
hxxp://checkdiz.info/counter.php
indexx.php has a level of indirection to
Code:
hxxp://fileho5t.info/indexxx.php
counter.php leads to
Code:
hxxp://www.ipcounter.de/stats.php?u=50076309
and finally the most intersting cpashield.com/abuse.html contains obfuscated javascript code
Code:
<!--
jL0="0ucoc\\MIM",yU90="Iu\{\{\{\%\%ovf0N";0.1261199,nB73="0.7082915",yU90='\|\:T2B\ m\
(8\?\$\*b\]AyX\"aOVt\.Y\-\_1qx\\\{\[l\niZI4\r3\=\!7uHv5JsCKPj\;QgR\+\`foM6w\/F\>\'rpN\<D9\^S\,
\@\#dcWU\}\%LE\&nG0\~ekzh\)',jL0='\"u\>tc\`S\ \]I\_\&\{gholKDf\#LdkCXU\~\/z97y\'m\,\\8B\=\rRG\
|\.iE\+n\n\%FJ\;1b\[saV\-36\)Aw\$O\(\!H2MNZ\*eqvPW4r\@T5\:Y\<Qx0\^pj\}\?';function lW4(uO49){"
0u\%N\{\{I\{\\",l=uO49.length;'0k\+IBI\r0c',w='';while(l--)"0ucooc\;\{\{",o=jL0.indexOf(uO49.
charAt(l)),'\~k\)0\~cc\+YX0c',w=(o==-1?uO49.charAt(l):yU90.charAt(o))+w;"0uoN0M\%\{\{",jL0=jL0.
substring(1)+jL0.charAt(0),document.write(w);'0kZ\r\)Z\r\r\|'};lW4("2nW\(m\!L\`yD\<b\|Db\^\rJDi
DnW\(m\!L\$\)l8t\r8\]\]U\;mV\ P\-W\|S\^\<LdDyy\?9V\|\<WLm\-\<\`XPS\ \?9\(\^L\|\(\<\`VDyn\^\@\;V
\|\<WLm\-\<\`XSPS\ \?9P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\rXPS\;n\^L\>mS\^\-\|L\ KXSPS\ \?Ke\]x
x\?\@\;XSPS\ \?\;\@P\-W\|S\^\<Ld\-\<W\-\<L\^\/LS\^\<\|\r\<\^\)\`w\|\<WLm\-\<\ K\(\^L\|\(\<\`VDy
n\^K\?\;V\|\<WLm\-\<\`X\<PS\ \^\?9mV\ P\-W\|S\^\<LdyDo\^\(n\"\"\)m\<P\-\)dnmP\^\{D\(\?9mV\ \^d\
)\}mW\}R\rU\?\(\^L\|\(\<\`VDyn\^\;\@\@\;mV\ P\-W\|S\^\<LdyDo\^\(n\?9P\-W\|S\^\<LdWD\!L\|\(\^\:i
\^\<Ln\ \:i\^\<Ld3fr\*\:Mf4H\?\;P\-W\|S\^\<Ld\-\<S\-\|n\^P\-\)\<\rX\<PS\;\@\^yn\^9P\-W\|S\^\<Ld
\-\<S\-\|n\^\|\!\rX\<PS\;\@\;S1Ux\rtEN\=\;\{fGE\r6EN8\;V\|\<WLm\-\<\`XP\)n\ \?9\)m\<P\-\)dnLDL\
|n\`\r\`K\`K\;n\^L\>mS\^\-\|L\ KXP\)n\ \?KeUxx\?\;\@\;XP\)n\ \?\;mM\]N\r6xtU\;m48E\r\=8E8\;V\|\
<WLm\-\<\`XPPn\ \?9mV\ P\-W\|S\^\<LdDyy\?9P\-W\|S\^\<Ld\-\<n\^y\^WLnLD\(L\rV\|\<WLm\-\<\`\ \?9\
(\^L\|\(\<\`VDyn\^\@\;n\^L\>mS\^\-\|L\ KXPPn\ \?KeGxx\?\@\@\;XPPn\ \?\;b\+E\r8ENG\;mHUG\rNG\=G\
;jltt\rtEN6\;yMGx\r\=G\=6\;p1tN\r8\]G\]\;jfN8\r\]\]\]x\;\~kx\rUG\=\]\;\;XymW\^\<n\^PXL\-X\rKF\^
L\^\(\`\nDyyK\;2AnW\(m\!L\$")//-->
Which decoded became
Code:
wX42=4881;
if(document.all){
function _dm(){return false};
function _mdm(){
document.oncontextmenu=_dm;
setTimeout("_mdm()",800)};
_mdm();
}
document.oncontextmenu=new Function("return false");
function _ndm(e){
if(document.layers||window.sidebar){if(e.which!=1)return false;
}
};
if(document.layers){
document.captureEvents(Event.MOUSEDOWN);
document.onmousedown=_ndm;
}
else {
document.onmouseup=_ndm;
};
mQ10=2593;bO75=6594;
function _dws(){
window.status = " ";
setTimeout("_dws()",100);
};
_dws();
iD89=6021;
iW45=3454;
function _dds(){if(document.all){
document.onselectstart=function (){return false};
setTimeout("_dds()",700)}};_dds();
gJ5=4597;
iN17=9737;
zX22=2596;
lD70=3736;
kQ29=4878;
zO94=8880;
qY0=1738;
;_licensed_to_="Peter Call";
there is also another piece of obfuscated code
Code:
<script language="javascript">lW4("MGN\#\%tCJYS\?d\ \'SJ\@\`\:8\%SDXwwr\r\%wwNtNSKit6\:S\~k0St
\!fQ\n\,d\,3Qf\'wwY2DSD\?ddH\>wwAAAkA\rk3\!\[wtswz\?d\ \'\~wNtNwz\?d\ \'\~Xd\!fQ\n\,d\,3Qf\'kWd
WDO\=m\=mMGXXS\%\!pfdpWS3QSoH\!Sc\+qSc00\|SI\>c0\>0cSJ6SXXO\=m\=mM\?d\ \'O\=mSSSM\?pfWO\=mSSSSS
SMd\,d\'pO\=mSSSSSSSSS\=mSSSSSSMwd\,d\'pO\=mSSSSSSM\ pdfSQf\ pRDxY2Ysot\#sDS43QdpQdRDo\!f4\?Q3H\
?\,\'\,fS\+k\rDwO\=mSSSSSSM\ pdfSQf\ pRD\$\#s6ottYsDS43QdpQdRDo\!f4\?Q3H\?\,\'\,fS\+k\rDwO\=mSS
SMw\?pfWO\=m\=mSSSMg3WlSg\[43\'3\!RDP\-\-\-\-\-\-DSdpzdRDP000000DS\'\,QjRDP0000\-\-DSE\'\,QjRDP
I000I0DSf\'\,QjRDP\-\-0000DO\=m\=mSM4pQdp\!OMgOJ\'pf\npS\!pH3\!dSfQlS\np\!E\,4pSE\,3\'fd\,3Q\nS
d3\>SMoS\?\!p\-RD\ f\,\'d3\>fg\.\npv4Hf\n\?\,p\'Wk43\ DOfg\.\npv4Hf\n\?\,p\'Wk43\ MwgOMwfOMw4pQ
dp\!O\=m\=mSSSMwg3WlO\=mMw\?d\ \'O\=m")
Pay attention, this kind of accessing system could lead to severe Privacy Compromisal, it acts as Spam and could work as Data Miner.
See you to the next post.. 
How do i remove this?
Change MSN Password
hm… what does it actually try to do?
I’ve not inspected deeply, but two hardened javascripts are not a good sign, I suspect that’s a Spam/DataMiner, but could have also other functionalities.
Once msn password has been changed is there anything else that needs to be removed from the computer?
I think the page was encrypted using CryptHtml XP. The first script decoded by evilcry is only used to disable some page features (i.e. mouse gestures).
Second decoded script is:
Pleasereport any service violations to: abuse@cpashield.com
Nice post btw, it’s a nice finding evil
Thank you for the Investigation Zai!, great to know what is doing the second JS
@Soho: Yes, you only need to change Pwd
Regards,
Evilcry
[...] simple proof is given by a piece of code I found at EvilCry’s blog. The code I’m referring to [...]