Jump to content

New malware exists as encrypted JS code in registry


Nomen

Recommended Posts

According to this:

http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-080408-5614-99

Windows 9x/me is vulnerable to this exploit. Under the registry RUN keys, an entry is created where the name of the target is composed of encrypted javascript as well as using "non-ascii" characters (which renders the entry as invisible when viewed using standard tools such as regedit).

Would msconfig show such entries - even if it just lists them on a separate blank line with nothing printed on it?

Can Win-9x/me process javascript code present in the registry?

Something else that has been said of this malware:

"The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked."

So, how compatible is win-9x in terms of operability with this method of storing and running "mal-code" from the registry?

Link to comment
Share on other sites


Well, I wonder about the ability of using rundll32.exe to execute JavaScript via CMD. A poc was posted on facebook which apparently will open calculator. However if worried, test in a VM:

 

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script>"+(new%20ActiveXObject("WScript.Shell")).Run("calc"))

 

If it does work, it would be possible to have a half-way installed virus on the system.... presuming .NET Framework and Powershell add-ons do not exist for Win9x.

Link to comment
Share on other sites

I guess you could run powershell from the registry as base64 gzip encoded blobs via system.io.memorystream. Maybe throw some encryption on top of that, rename the key with unicode characters and we have a powershell only version of this hack.  

 

or am I missing something, is javascript really needed ?  

Link to comment
Share on other sites

I don't think it is. Whoever wrote this particular delivery method merely found that it is possible to execute javascript via rundll32.exe and used it as the infection vector. The run-down on the link show it as such, after the javascript is executed (and minimum requirements are met) then the payload is delivered. That seems to be the only function of the javascript, and everything afterwards is handled with whatever the payload is and .NET and Powershell.

However, note the exploit uses mshtml to create an ActiveX object. If you were to disable ActiveX in IE, would this then fail or are those things in Internet Options only used when iexplore.exe is running?

Link to comment
Share on other sites

Hey, I've got a great idea. We already know that .NET can be installed, so someone go ahead and install Powershell in a Win98SE and see if it works. Wouldn't that settle the issue? :unsure:

 

Sure. And I bet Powershell 1.0 does not run in native 9x/ME. Perhaps it does run, sort of, under KernellEx, but even if it does, I doubt there's even one user with Powershell installed in 9x/ME, or we'd already have heard about it here...

 

 

Good to see you here, Mr. Jinje! :hello:

 

And, BTW, do y'all remember RegDelNull:P

Link to comment
Share on other sites

Thx, exactly my point!

 

Maybe that article is mistaken. :unsure:

:lol: So Nomen, the answer is -no- don't worry about it as the article clearly states that in order to function it -needs- both .NET -and- Powershell even if the registry stuff works, downloading ?what? to install and run. ;) IOW, it won't even work on 9X/ME OS. :no: Symantec flys away on nonsense...

Edited by submix8c
Link to comment
Share on other sites

Yes. I understand that. But... AFAIK, Powershell does NOT *itself* work on 9x/ME, that's my point.

You see: 9x/ME support ended on Jul 11, 2006... while PowerShell was initially launched Nov 14, 2006... so, at least officially, it surely wasn't ever meant to work on 9x/ME. This being so, I'm pretty sure if nobody ever posted about PowerShell on 9x/ME (and that *is* the case) means nobody ever even unofficially has managed to have it run on 9x/ME.

Link to comment
Share on other sites

...and that was -my- initial point. The Symantec page has to be erroneous. It will not "infect" a 9x/ME machine AFAICT.

Next, the Trojan decrypts a PowerShell script from its encrypted JavaScript. It runs this Powershell script to execute a binary program.
How can it run a Powershell script without Powershell? :crazy: or is it just me?
Link to comment
Share on other sites

Well it would still be a partial infection. I had a similar case where some AOL IM virus was on my Win98 PC... The initial infection did occur, however the virus would not function properly because AOL IM was not installed. All it did was fill up my HDD with text files with errors in them.

Now, Symantec could clarify what the behaviour would be like if a Win9x was infected with this. Maybe it would show an error because Powershell isn't installed or doesn't work, or maybe it will just make text files until you run out of hard disk space. :w00t:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...