new variant of the VBS/Inor trojan

tdinc

OSNN Veteran Addict
Political Access
Joined
6 Dec 2003
Messages
3,508
The browser will prompt the users whether they want to perform actions such as writing and executing files. This is a multi-stage attack; several scripts/programs used in the attack are known malware specimens, and are likely to be recognized by up-to-date anti-virus software.

1. The victim receives an HTML-based unsolicited e-mail message, which contains an IFRAME link that retrieves link.html from the malicious site.

2. The link.html page downloads the link.php page from the same site via the following HTML code snippet: '<object data="link.php">'. Contents of the link.php file are obfuscated using Windows Script Encoder. Most anti-virus tools recognize the manually-decoded version of link.php as VBS/Inor; however, they do not presently recognize the encoded version of link.php as malicious code.

3. The link.php file contains VBScript code that attempts to create a small executable on the victim's system in c:\x.exe using 'CreateObject("Scripting.FileSystemObject")'. The x.exe file is embedded into link.php as a string of binary digits. Most anti-virus tools recognize x.exe as malware, using names such as "TrojanDownloader.Win32.Small.ar" (Kaspersky) and "Proxy-Hino.dldr" (McAfee).

4. The link.php file uses x.exe to retrieve ss.exe from the malicious site, which x.exe launches. Kaspersky recognizes ss.exe as "Trojan.Win32.Genme.a". Several other anti-virus tools that I tried did not recognize ss.exe as malicious code. Among other actions, ss.exe connects to the originating server to "register" the infected system with the index.php script via URI such as 'index.php?Client='. I have not had a chance to analyze ss.exe,
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back