Author Topic: Strange code  (Read 1112 times)

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Strange code
« on: August 12, 2002, 03:23:06 AM »
Do not go here with any scripting turned on

A friend of mine asked what the code on this page does. I am not sure, but to me it seems very offencive. Take a look at the code here and see if you can tell me more exactly what it does. To me it looks like a trojan or a bot. Again, turn off scripting (vbs and javascript and everything).

http://www.geocities.com/gulfgirls2004/


Best wishes
Arne
Imici username= Arne
Best wishes
Arne
Imici username= Arne

Arne

  • Administrator
  • Hero Member
  • *****
  • Posts: 778
    • ICQ Messenger - 1448105
    • AOL Instant Messenger - aflaaten
    • Yahoo Instant Messenger - arneflaa
    • View Profile
    • http://
    • Email
Strange code
« Reply #1 on: August 12, 2002, 03:41:28 AM »
I have understood as much as this is using the com.ms.activeX.ActiveXComponent exploit, but I do not fully understand what it really is trying to do.

Best wishes
Arne
Imici username= Arne
Best wishes
Arne
Imici username= Arne

sidki3003

  • Sr. Member
  • ****
  • Posts: 476
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Strange code
« Reply #2 on: August 12, 2002, 04:08:08 AM »
Looks like a variant of a trojan that NAV calls "Trojan.JS.Clid.gen".
I think the original one is this:
http://online.securityfocus.com/archive/1/200109

To me this one looks as it tries to connect to an IRC channel.


 
 

TEggHead

  • Jr. Member
  • **
  • Posts: 93
    • ICQ Messenger - 21893433
    • AOL Instant Messenger -
    • Yahoo Instant Messenger - eljarec
    • View Profile
    • Email
Strange code
« Reply #3 on: August 12, 2002, 09:54:56 AM »
quote:
Looks like a variant of a trojan that NAV calls "Trojan.JS.Clid.gen".


I'm not so sure about this, I've taken a look at this code, and I am practically sure this script targets only those that actually have mIRC installed, it does not do anything else then prep your comp for the actual trojan I believe.

[update]
I've extracted and tried to identify the code in this page, the closest match I can find is the worm IRC/kierz a.k.a. Trojan.IRC.KarmaHotel.b  

http://securityresponse.symantec.com/avcenter/venc/data/irc.kierz.html
it's described as relative harmless, but I beg to dissagree as the second phase infection (whatever it downloads thru mIRC) might be highly infectuous.

lets see if Y! lives up to its own TOS...if they do then this account won't exist for very much longer...
[/update]


If you look at the list of filecontentNs, then you see two calls to a sub ShowFolderList in filecontent6 and 269. These and the last two lines are the only lines of the actual main script which are executed regardless, the remainder is just subs and functions called internal when other conditions are met.

In the loop from filecontent12-34 the drive is scanned (C or D) and attempts to locate a mirc.ini in line filecontent19. If found it overwrites this ini file to set up a channel and to enter some macros, then it clears the archive attribute so you won't see the file is changed...basically that is it. I suspect once connected to the IRC channel, you'll get fed the real Trojan (probably a DDoS type) one time or another, but the script itself is just preparation...

If you have mIRC installed, I'd check each drive for a file called rol.vbs or winamod.dat (they get deleted if the script was successful, so if present then it's more an indication of a failed infection. I'd sure would check each and every instance of mIRC.ini found if you have mIRC installed...


The article at Security Focus describes another type of possible exploit in that IE and IEbased browsers do not go by content-type/extensions but do content-sniffing. IOW, if a file is found to contain html (I believe in the first 512 bytes) then IE will try to render it as html nomatter the extension/content-type of the file.

Paul L. has a nice demo page showing this behaviour at

http://www.laudanski.com/security/index.shtml

and Mona has posted a filterset once at Y!G that deals with this type of content-mismatch...

http://groups.yahoo.com/group/prox-list/messagesearch?query=fraud%20check

FWIW
JarC


Edited by - TEggHead on 12 Aug 2002  22:38:36