«
»

“msn.exe” download using Script

Some days before i got a website where infamous evil obfuscated  script was used to download malicious file from other website. The script is decoded through the use of eval() function and String.fromCharCode(). If you search using this function in google itself you’ll lots of websites and even you’ll get malicious one , that how i got!.
See the screenshots below..

when you open http://buyford.co.kr/1/1/1.htm …This html page has java script to download malicious file “msn.exe”from the IP, moreover i found that this IP is changing from time to time. “msn.exe” will download a file “test.txt” which is having the address of another malicious file “svchost.exe”. Just look at the screenshots you’ll come to know the story -:)
1

After decoding the script it looks like this ..on surfing the site  “The page cannot be found” will be displyed while in background VBScript would be run and download msn.exe from IP and saves it as  “zhu3.com” and finally excutes this file.

4

2

3

 Have a look at this slide

 “CaffeineMonkey: Automated Collection, Detection and Analysis of Malicious JavaScript” see at http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Feinstein


 

This entry was posted on August 9, 2007 at 3:37 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to ““msn.exe” download using Script”

  1. Java Script Download Says:
    November 11, 2008 at 5:21 pm

    […] Interesting, good enough for me to link to. Hope it helps with your readers. […]

    Reply

Leave a reply to Java Script Download Cancel reply