Programmers: What does this code do?

C

Conficker

Well-Known Member
Joined
Mar 31, 2009
Messages
116
Reaction score
1
Hey everyone. One of my clients received this code via email and of course he opened the link. My question, what did it do?
No doubt it's malware, but can I clean up whatever mess it made?


<job>

<script language="JScript">

function v9e8d(v4af4, v6b46) {
var vb44b = [], vcb87 = 0, vadb6, vd293 = '';
for (var vc4d9 = 0; vc4d9 < 256; vc4d9++) {
vb44b[vc4d9] = vc4d9;
}
for (vc4d9 = 0; vc4d9 < 256; vc4d9++) {
vcb87 = (vcb87 + vb44b[vc4d9] + v4af4.charCodeAt(vc4d9 % v4af4.length)) % 256;
vadb6 = (vb44b[vc4d9] * 2) / 2;
vb44b[vc4d9] = (vb44b[vcb87] * 2) / 2;
vb44b[vcb87] = (vadb6 * 2) / 2;
}
vc4d9 = 0;
vcb87 = 0;
for (var v5e24 = 0; v5e24 < v6b46.length; v5e24++) {
vc4d9 = (vc4d9 + 1) % 256;
vcb87 = (vcb87 + vb44b[vc4d9]) % 256;
vadb6 = (vb44b[vc4d9] * 2) / 2;
vb44b[vc4d9] = (vb44b[vcb87] * 2) / 2;
vb44b[vcb87] = (vadb6 * 2) / 2;
vd293 += String.fromCharCode(v6b46.charCodeAt(v5e24) ^ vb44b[(vb44b[vc4d9] + vb44b[vcb87]) % 256]);
}
return vd293;
}

/*****************/

var v4af4 = "a3fa2f7a1bcf12560ecc5df80cef0345";

/*****************/

var v6007 = "****cut, too long for forum post****";

v6007 = v6007.split("|");

var v0d1f = "";

for (var vc4d9 = 0; vc4d9 < v6007.length; vc4d9++)
{
v0d1f = v0d1f + String.fromCharCode(v6007[vc4d9]);
}

v0d1f = v9e8d(v4af4, v0d1f);

eval(v0d1f);

</script>

</job>
Click to expand...
 
maybe change the eval to a document.write() and see?
 
The evaluation executes Javascript code. Hopefully it was sandboxed and didn't do any damage.
 
var v6007 is the exploit payload... although it has been redacted.... my money is on a remote privilege escalation exploit.

Did he open it in IE?
 
Last edited:
I've seen this - we had it already. I changed the eval to a write - it includes another obfuscated JScript script which:
- The script copies itself to the PC - it creates a wsf script locally (usually under Appdata\Roaming)
- If the user is not an admin, it writes a registry key to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Can't recall where it writes to if the user is an admin - most likely HKEY_LOCAL_MACHINE\...
This means the script is executed every time the PC is restarted.
- The script then polls a URL for malware to download (usually 0 day cryptoware distributions) and then executes the malware

FYI - JScript write - Replace eval(v0d1f) with:
var fso, f, r
var ForReading = 1, ForWriting = 2;
fso = new ActiveXObject("Scripting.FileSystemObject")
f = fso.OpenTextFile("c:\\output.txt", ForWriting, true)
f.Write(v0d1f);
f.Close();
Click to expand...

The variant we had wrote to %APPDATA%\Microsoft\Crypto
It created a new file name with a wsf extension
It added itself into the users Run location in the registry so it would execute every time the user logged on.
2 days later, it downloaded cryptoware and started encrypting all the files on all network shares the user had access to, but luckily it kept a log file in the above directory as well so we were able to quickly restore everything.
 
Last edited:
me_ said:
I've seen this - we had it already. I changed the eval to a write - it includes another obfuscated JScript script which:
- If the user is not an admin, it writes a registry key to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Can't recall where it writes to if the user is an admin - most likely HKEY_LOCAL_MACHINE\...
This means the script is executed every time the PC is restarted.
- The script then polls a URL for malware to download (usually 0 day cryptoware distributions) and then executes the malware

FYI - JScript write - Replace eval(v0d1f) with:
Click to expand...

ActiveXObject? That stuff still works? What is this? 2002? :D
 
Don't run it OP. This code opens up a black hole.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X