[SOLVED] Email .js virus

Sefyir · 12-04-2015, 07:30 PM

I got a "E-fax" with a attachment of document000262537.doc.js (Red flag)
I stringed the file and it looks like it's "camouflaged" with chunks of code wrapped into variables which are then used to group together into the (probably) malicious code and run.

Eg.

Code:

var g4=' { }'
var v0='= w'
var u4='{ fo'
var k7='WScr'
var r2='rket'
var d7=' {'
var d6='Creat'
var r5='nd('
var h2='tr+'
...
a9=p5
i5+=a9
a9=e0
i5+=a9
a9=y6
i5+=a9
a9=f3
i5+=a9
a9=t2
i5+=a9
a9=q9
i5+=a9

Pastebins:
Original
; changed to newlines (\r)

I didn't run it, but I'm curious what the constructed code does. Whether linux or windows based..
I searched some parts of the code but nothing came up.
Would it be worth reporting and who would I report it to?

unSpawn · 12-05-2015, 03:23 AM

Just run the original through one of the aggregating virus scanners will you?

ondoho · 12-05-2015, 03:23 AM

Quote:

Originally Posted by Sefyir

; changed to newlines (\r)

I didn't run it, but I'm curious what the constructed code does.

from what i can see it is safe to replace the last line: "p8()(i5);"with the .js equivalent of "echo "$i5"", and see what the resulting code looks like.

Sefyir · 12-05-2015, 08:27 PM

Quote:

Originally Posted by unSpawn

Just run the original through one of the aggregating virus scanners will you?

I ddg'd "aggregating virus scanners" and got virustotal

https://www.virustotal.com/en/file/4...is/1449368248/

Quote:

from what i can see it is safe to replace the last line: "p8()(i5);"with the .js equivalent of "echo "$i5"", and see what the resulting code looks like.

I don't know js, but I think you're right.

unSpawn · 12-06-2015, 05:05 AM

So it's Nemucod, a downloader. Microsoft-only. Case closed?