What malware is JS/Obfuscus.AACB!tr?

polonus · June 5, 2012, 2:59pm

See: hxtps://www.virustotal.com/file/b8b7c47c197dcc9a1c5cee7c98ad8579684411441729dd3a86f6a264db36ab60/analysis/
See: htxp://minotauranalysis.com/search.aspx?q=b1b82f8cc88ca9d5a250b5ebdfbacd29
Found: DecodedGenericCLSID detected D27CDB6E-AE6D-11CF-96B8-444553540000 BD96C556-65A3-11D0-983A-00C04FC29E36 d27cdb6e-ae6d-11cf-96b8-444553540000 CA8A9780-280D-11CF-A24D-444553540000
malicious: Alert detected /alert CVE-2006-0003 shellexecute with ./…/97c8438.ex-
See: htxp://zulu.zscaler.com/submission/show/ae18c7fc4891e912f14ea5714e8128e0-1338886416
Code is dangerous, and sent as a piece of spam that would do an auto forward to a malware domain if you happen to be logged in to your webmail,

polonus

Donovan · June 5, 2012, 3:27pm

Looks like an exploit. Checks for security related things including versions and browser.

I’m assuming JS/Obfuscus.AACB!tr is when letter variables are used like this:


/*
a = b
c = b
e = c
if(a!=e) {
// do nothing
} else {
f = b
f += a
// etc...
*/

polonus · June 5, 2012, 3:29pm

Hi folks,

Thanks for the representation, !Donovan,
This is being blocked by avast webshield as JS:ShellCode-AF[Expl]
Exploit is being blocked, we are being protected.
Furthermore in Fx NoScript will protect, for IE we can sett a killbit for that particular CLSID of the ActiveX-control,

polonus

What malware is JS/Obfuscus.AACB!tr?

Announcements