[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] javascript Virus

Subject: [ale] javascript Virus
From: jimpop at yahoo.com (Jim Popovitch)
Date: Fri May 27 09:54:30 2005
In-reply-to: <[email protected]>
References: <1117137296.11283.33.camel@localhost> <[email protected]>

On Fri, 2005-05-27 at 09:11 -0400, Dow Hurst wrote:
> I don't know Javascripting at all but how does this work?  I would like 
> to know how to see that this is dangerous but it looks like gobbledegook 
> to me.  There is no IP given nor filename to download?

WARNING: DO NOT VISIT THE SITES IDENTIFIED BELOW WITH A MICROSOFT
WINDOWS PC.

The gobbledegook is "ASCII encrypted" code that downloads an initial
java file from h--p://81.222.131.59/dl/adv737.php.  That file then
downloads Win32 files from h--p://69.50.177.102/x155/ind.php, and
ultimately h--p://69.50.177.102/x155/count5.htm.  In the end you have
(what I think is) Troj/Bumaf-F virus installed on your Windows PC
(http://www.sophos.com/virusinfo/analyses/trojbumaff.html)

-Jim P.

Follow-Ups:
- [ale] javascript Virus
  - From: Dow.Hurst at mindspring.com (Dow Hurst)

References:
- [ale] javascript Virus
  - From: jimpop at yahoo.com (Jim Popovitch)
- [ale] javascript Virus
  - From: Dow.Hurst at mindspring.com (Dow Hurst)

Prev by Date: [ale] Linspire 5.0
Next by Date: [ale] javascript Virus
Previous by thread: [ale] javascript Virus
Next by thread: [ale] javascript Virus
Index(es):
- Date
- Thread