That chubby swede (sleepy) wrote,
That chubby swede
sleepy
  • Mood: irritated
  • Music: Etnica - Nitrox - ritual plants

Scary code...

... while I worked on some code, browser windows started to pop up once in a while... closed them down... didn't think about it... got a few new ones... closed down all browsers except one, the one I was currently working in... they kept coming... this triggered my curiosity, I had to know what was running... I found the first clue in the IE's surf cache... an encrypted Javascript... used the Soya.Encode.ScriptDecoder to wrap up the first layer of encoding... ran the rest of the code through a vbscript that decoded another part of the script and finally wrapped up the encrypted (Rot -2) data... a small script that pops up an invisible window without a taskbar, makes a few tries to create instances of ActiveX controls ... the FSO (FileSystemObject)...

makes a few writes to the REGISTRY, sets the following keys...

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL = 'http://www.topsearcher.com/ie/'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = 'http://www.topsearcher.com/ie/'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page = 'http://www.topsearcher.com/ie/'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar = 'http://www.topsearcher.com/ie/'
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant = 'http://www.topsearcher.com/ie/'
HKEY_OCA_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = 'http://www.topsearcher.com/ie/'
HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\SearchUR = 'http://www.topsearcher.com/ie/'
HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main\Search Page = 'http://www.topsearcher.com/ie/'
HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = 'http://www.topsearcher.com/ie/'
HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Main\Search Bar = 'http://www.topsearcher.com/ie/'
HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Search\SearchAssistant = 'http://www.topsearcher.com/ie/'

... it creates a few files that are .reg, .hta and 'sp.dll', 'sp.icl' files, merges them with the registry... and starts popping up new windows...

Disable Javascripts by default. Turn it on explicitly on sites you trust.

Somebody really wants hits on their site...
Subscribe

  • weird mail

    Some dude contacted me, to try to buy this blog because of the name .. nope. Not for sale, sorry.

  • Almost a year

    We have been living in Västerås for almost a year now, the way here was a bit bumpy in the beginning, as we had two months in between homes. See…

  • More about the move

    Yeah, I have blogged more about the move over at b19.se/blog/kakbit .. in English.

  • Post a new comment

    Error

    switch
    default userpic

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
    Help
  • 2 comments