So, I know some coding (HTML, CSS, PHP, web stuff...), but I don't know this language to know what it does. Got it in an email from a random source labeled as a ".doc" file, but I knew better and opened it up in Dreamweaver and saw this line of code. Can Sup Forums tell me what it does? I see a few websites listed, but not sure what it all means. Will dump this chick for enlightening answers.
Chances are, the sites listed are compromised and are used to store the malicious file which will pull you into a botnet. "&i=TXMEdZIuYNxt5kzgaYuffbw8ZWppJUkf_XOVKW_3njDdZH9iJqaMtk535IUCbeJJaoLU49w06blfvnAudzBhBhZesSyYPGkXavk" is probably the unique identifier. See this shit all the time.
Cameron Wood
I mean, just any of it. I don't know the language, so I don't know what the file's intents or why it was sent to me.
I recently moved and changed my address and forwarded my mail, and being Christmas and all, I was expecting a few packages. So when USPS sent me this email, I looked at it and got curious. It wasn't from a USPS domain and I didn't know why they attached a ZIP file containing this script in it. So, I got curious and opened it up in an editor.
Michael Bennett
pastebin Jw85P1Yn
Evan Price
>kXp he posted it on paste bin go look ya fuckhead
Alexander Ross
This is HTML and Javascript. I dunno, it looks kinda fishy. Never heard of those sites in the array. And it returns "http/" in a function, probably trying to scam or something.
Grayson Jackson
That's what I was thinking, but sometimes ya gotta bottle feed 'em.
Michael Reed
I know, I did it myself. I was just letting you know. The zip is probably bound with a virus and crypted, which then executes this piece of JScript.
JScript.
Aaron Jones
lol
Oliver King
>The zip is probably bound with a virus and crypted, which then executes this piece of JScript.
So just the fact I opened the ZIP, I probably have a virus now?
Mason Nelson
>new ActiveXObject(...) That's the dangerous part. Ignore everything before it; that's all just building the url strings. The ActiveXObject is what's actually going to load and execute the malicious code on your local machine. This code isn't necessarily harmful; it's just that it calls harmful code that stored on what are probably compromised servers.
I'd be interested in seeing the response to the GET request it's sending, but I'm too lazy to actually do it.
Jonathan White
Possibly. If it's crypted using a semi or fully private crypter, virus protectors aren't going to protect you. What you should do in situations like this, if you want to open the file, use a program like Sandboxie. Either that or open it in a virtual machine. Some way or another, that unique identifier will be sent back to the CNC so your machine will be listed, and they will be able to remotely execute tasks on your computer. Just format, honestly.
Callback to the CNC.
Liam Evans
Will post more if you do.
Logan Lee
its a script that will force your system to load them sitess into your dns and im quite sure without pulling up a site it probably calls to a download of a file most likely xml and in turn will infect your shit and most likely add you to a bot net set up for something like ddos attacking websites and shit very boring and very easy to deal with even if you had opened it and ill bet you ten to one those sites are foreign most likely chinese or russian ;)
Lucas Nelson
Trust me, it wont be anything worth seeing.
return htt() + x + cou() + sut() + rox() + boe();
That is what forms the string. Just follow the chain. the "x" is the array of sites, and the for-loop sends the get request to each of them.
Jacob Parker
You're a special kind of stupid, aren't you.
Luke Hall
Yes, those site are foreign, I looked them up myself.
Also, I have a shitty virus scanning program anyways. What would you suggest I use for at least better than average protection? Free and/or paid services.
Christopher Bennett
face? need to make sure it's worth the effort.
Joseph Williams
...
Brody Diaz
+ timestamp
Evan Phillips
the best anti-virus out there is less effective than good practice. if you just make good decisions, something like avast should be fine
Robert Carter
eh, not the greatest, but fuck it. lemme see what i can find
David Cruz
Like I said, use sandboxie or run in a virtual machine, these usually cant be detected by virus protectors. I followed the chain just out of curiosity, here is what the string comes out to be. Obviously, no one go here. pastebin com/9ChyE9Wj
Oliver Allen
Lmfao I got these from an user posting here long time ago. No idea how old it is.
Ayden White
go there immediately and click yes to everything copy that
Cooper Cruz
I generally don't open or run stupid shit or download random files. But I had opened the zip before I had looked at the sending address and realized that it wasn't actually from USPS, so that's when I got curious.
Dominic Turner
Haha.
Asher Long
Oh, it's telling me to delete my /system32 folder, it'll make my computer run faster, right? Lol
Jose Morris
A few more here. Thanks for all your help. Lol I'd love to send them something in response and get them to fry their shit.
Jack Robinson
[~] -> rm -r C:\\windows\\system32 rm: cannot remove 'C:\windows\system32': No such file or directory
pls halp
np. sandboxie next time nigga. consider formatting.
Isaiah Baker
Lol it was sent to my work email, while I was at work. I plan on leaving this shithole anyways, so I'll reformat when I do. Thanks, my neighbah.
Evan Rivera
And that, my friends, is the first time Sup Forums has officially helped me with anything. Generally I lurk or troll a thread here and there, but I am actually surprised here. Awesome job, Sup Forums.
I... I love you. Group hug?
Parker Carter
pastebin /Gz95k5Ti
Nolan Morris
god I love it when OP isn't a fag...
anyway, here's the paste of the script it tries to run based on the address provided by . It's a complete mess to read, but I'm sure there's a reason for that. Someone who's super bored could probably pick it apart, but I don't think I've got it in me today.
Usually the same shit. More than likely it's a shitty ripoff of Zeus of Citadel.
Kevin Jones
Or*
Sebastian Smith
so, if OP or anyone's interested, I'm still playing with it. It's a string builder that builds a script, and I'm guessing executes it. Once I pretty it up a bit more, I'll link the paste to it.
if nobody cares, i'll probably keep playing with it, but I won't bother with pasting any of it.
Nathaniel Ward
Man, not only is this one of my first posts after lurking on this site for years off and on (I usually browse for like, a few days and then forget about it fro a few months, come back and browse, rinse, wash, repeat. This is the longest string of browsing I've been on (almost every day for a month), and the site appears to be getting shittier, but hell... why not?), but I'm deemed as > isn't a fag
Makes a (technically, still) newfag feel good.
Yeah, I am interested. I've been meaning to get into java, but I just don't have the time, drive, or purpose too among everything else I have to do.
Kevin Mitchell
Java != javascript != JScript jussayin. Also, Java is gay. Fuck OOP, JIT and java in general.
Julian Collins
so, I've got it cleaned up and readable. As soon as I finished it (just in my text editor), Windows Defender started screaming about it. going to have to burn down this VM when I'm done just to be safe.
pastebin com/MTQBqtq1
Ethan Baker
>try{ws.Run(fn+n+".exe",1,0);}catch(er){}; Time to format.
Thomas Rogers
>pastebin com/MTQBqtq1 Yeah, mine has been screaming at me left and right when I try to open some of these links haha
Andrew Clark
also, just to talk out loud a bit, the way they were fooling the anti-virus programs is by using the stringbuilder to store the script, and then replacing the character 'a' with the 61... number that I can't remember now.