Decoding VBScript Malware-infected HTML files

I have been running across malware like this lately.  It appears to be a local infection that appends some VBScript to HTML files on the webmaster's computer, spreading to the Internet when it's uploaded. Alternatively, it could be an infection on a Windows IIS server.

At any rate, WriteData is a hex string that goes on and on for a good couple of screen lengths, followed by some more VBScript to open a file handle, write binary data to it, then execute the dropped binary.

Since it appears this HTML file has been infected multiple times, I use uniq to get only one copy of the WriteData line. I split it with cut based on the double quotes to get only the hexadecimal part. I decided I'd try to use xxd to decode it. xxd can create or read hex dumps. I save xxd's output to svchost.exe (which is what the VBScript would have called it).

Finally, I use file to determine what kind of file svchost.exe is, presuming it'll be a Windows executable file.

No surprises there. I uploaded it to VirusTotal, and it looks like we have a ZBot (ZeuS) on our hands.

blog comments powered by Disqus