This is just another obfuscated script but it attempts to exploit Windows versions 2003 down to Windows 95 and might include lower versions as well as you will see later. It uses browser exploits to download and execute malicious file from the internet right to your box. But, you don’t have to worry if your system is fully patched because it targets known vulnerabilities that vendors have already provided the patch.

The url when accessed is a bit deceiving because it’s like you end up on a non-existent resource on the server. Unknowingly, the malicious script that is embedded on the page is currently determining some system information to know what are the exploits that it may serve… very rude!

The image above is the source code of the malicious website and apparently it’s quite a bit obfuscated. There is also a special page for Netscape browser users. After the three-step de-obfuscation process, it is pretty clear now the intention of the author and what most likely to happen to your system. I have summarized the exploits that will be used by the attacker to compromise the system in the form of a table as against the version of Windows that the victim is using.

The exploit names I’ve used are based on the function names that the author has used in his program.

Function Description:

RDS
This function exploits MS06-014vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe as C:\NTDETECT.EXE.

MDAC
This function exploits MS06-014 vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe as Uninstall.exe or Uninstall0.exe or randomly generated filename in the following locations.

• $AllUsersStartupFolder\Uninstall.exe


• or $StartupFolder\\Uninstall0.exe


• or C:\\Documents and Settings\\All Users\\Menu Inicio\\Programas\\Inicio\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menuen Start\\Programmer\\Start\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Start\\Programma\\’s\\Opstarten\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Start\\Programy\\Autostart\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Avvio\\Programmi\\Esecuzioneautomatica\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Kaynnista-valikko\\Ohjelmat\\Kaynnistys\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Start Menu\\Programlar\\BASLANGIC\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Start-meny\\Programmer\\Oppstart\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Start-menyn\\Program\\Autostart\\Uninstall.exe


• or C:\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Iniciar\\Uninstall.exe


• or C:\\Dokumente und Einstellungen\\All Users\\Startmenu\\Programme\\Autostart\\Uninstall.exe

AND

• $TEMPDIR\Math.round(Math.random()*(1000000-1)+10000)+”.exe”


• or $HOMEDRIVE\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Uninstall.exe


• or C:\\RECYCLER\\”+Math.round(Math.random()*(1000000-1)+10000)+”.exe”


• or “\\sys”+Math.round(Math.random()*(1000000-1)+10000)+”.exe”

WVF
This function exploits MS06-057vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe.

JAVA
This function exploits MS02-069(JVM CODEBASE) Vulnerability to download and execute http://66.xxx.xxx.67/bin/win.exe.

XML
This function also attempts to download and execute http://66.xxx.xxx.67/bin/win.exe by exploiting the MS06-071(XMLHTTP) or the MS04-025vulnerability (ADODB.Stream).

On the other hand, if the victim is using the Netscape web browser, a MS06-006(Media Player Plugin EMBED) exploit will be triggered but seems to be broken.

Whew! That’s a lot of exploits huh! And it also targets a number of language platform and uses fail-safe copying of malicious file to the affected system as you can notice in its MDAC function and in the rest of the code.

The good news is, the vulnerabilities that are being targeted were already patched by the vendor but the bad news is, not all users apply these patches. Incident like this just teaches us the importance of up to date patching of product vulnerabilities and regular update of antivirus patterns.

Note:
The malicious script, the downloaded file, and the url were all submitted to respective teams to be integrated into Trend Micro solutions.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!