John Howard Malware/Virus
-
Comments:
- here.
Howard heart-attack email carries virus :: Hack In The Box :: Keeping Knowledge Free What a shame it isn’t true… Anyway, I did some digging, and this is what happens: The site listed pushes you to a couple of other pages, via framesets. Then, there is a clever JavaScript which decrypts another script, this time written in VBScript. This script downloads, and executes, a Windows executable. Which apparently is a nasty piece of work. The clever parts are these: The method of encrypting the JavaScript. It uses a simple replacement method to take a string, which appears meaningless, and return it to a plaintext. Nothing too hard here, except it’s a somewhat complex algorithm to get that far. If you are interested:
function makemelaugh(x) {
var l = x.length, b = 1024, i, j, r, p = 0, s = 0, w = 0,
t = Array(63, 16, 44, 51, 25, 37, 46, 62, 8, 18, 0, 0, 0, 0, 0, 0, 45, 28, 13, 4,
30, 31, 48, 12, 21, 60, 47, 29, 2, 17, 23, 15, 40, 11, 1, 9, 34, 0, 26, 49,
43, 58, 53, 0, 0, 0, 0, 56, 0, 10, 3, 42, 5, 59, 41, 22, 19, 27, 61, 33, 7,
54, 55, 20, 50, 6, 57, 39, 36, 14, 52, 32, 24, 38, 35);
for (j = Math.ceil(l / b); j > 0; j--) {
r = "";
for (i = Math.min(l, b); i > 0; i--, l--) {
w |= t[x.charCodeAt(p++) - 48] << s;
if (s) {
r += String.fromCharCode(170 ^ w & 255);
w <<= 8;
s -= 2;
} else {
s = 6;
}
}
temp = temp + r;
}
}
I’ve made it less dangerous by replacing the document.write(r) with temp = temp + r. This way, I could just get the text, rather than have my browser execute it. This function, makemelaugh(), is run on a block of text, resulting in a script that, as mentioned, downloads, and then executes a file. I think the first half of the script is based on the second half, as the second script block points to a file that doesn’t exist. And the first part is a little cleverer, in that the filename it chooses for the executable is random. Meaning that a virus checker can’t rely on a particular filename when scanning. The file appears to be exactly 2006 bytes in length, but I don’t have the tools on the machine it’s stored on to look further at it. And I don’t want to bring it to the PC I’m at now in case I accidentally execute it! Apparently the virus isn’t anything to do with John Howard, that’s just the delivery vector. Basically, you are safe from this virus if you are using a Mac. You are safe from this virus if you don’t have JavaScript, or VBScript turned on. And, I think you are safe from this virus if you are using Firefox. But I’m not so sure about this. However, if you are using IE, on a Windows machine, don’t go to the address… Nah, I’m not going to link to it…