“msn.exe” download using Script

Some days before i got a website where infamous evil obfuscated  script was used to download malicious file from other website. The script is decoded through the use of eval() function and String.fromCharCode(). If you search using this function in google itself you’ll lots of websites and even you’ll get malicious one , that how i got!.
See the screenshots below..

when you open http://buyford.co.kr/1/1/1.htm …This html page has java script to download malicious file “msn.exe”from the IP, moreover i found that this IP is changing from time to time. “msn.exe” will download a file “test.txt” which is having the address of another malicious file “svchost.exe”. Just look at the screenshots you’ll come to know the story -:)
1

After decoding the script it looks like this ..on surfing the site  “The page cannot be found” will be displyed while in background VBScript would be run and download msn.exe from IP and saves it as  “zhu3.com” and finally excutes this file.

4

2

3

 Have a look at this slide

 “CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript” see at http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Feinstein


 

Advertisements

One Response to ““msn.exe” download using Script”

  1. […] Interesting, good enough for me to link to. Hope it helps with your readers. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: