This interesting topic on the avast forums I just had to examine. Check out the Sucuri results; I’ve never seen that before! =O

I sent the URL to Quttera. Check out the results. Ok, lets pick one of the URLs. I picked GET /forum/forumdisplay.php?fid=124. Look what I found just below the ending HTML tag:

We can beautify the following code as follows:

By looking at the first line, we can instantly see v%@a~@@#r, and because we see a function with the string.replace() containing a regular expression, we can determine that symbols such as above will be omitted in the return. If you look at the code on lines 29 and 30, you can make out .appendChild(o). This is the fully deobfuscated content:

Of course you want to see the VirusTotal results ;)

Original (As seen in Figure 2) | Deobfuscated (As seen in Figure 3)

Notice that each scan gives different antivirus findings. The original obfuscated content being detected by Avast! (JS:Iframe-EQ [Trj]) and Kaspersky (HEUR:Trojan-Downloader.Script.Generic), while the deobfuscated content being detected by Commtouch (JS/IFrame.GN.gen), F-Prot (JS/IFrame.GN.gen), and K7AntiVirus (Riskware). A fail for the antivirus community, I must say.

 

Since the most used variable is VaNcZwAmM, I will call this the VaNcZwAmM variant,
~!Donovan

Advertisements