Symptoms

Removal instructions:

Analyzed By

Technical Description:

The Javascript has more layers of encrypted data and downloads other pieces of malware.
It tries different approaches on how to download a malicious file.

• The downloads occur from the following sites : http://fconnorlaw.cn , http://biztech-co.cn or http://ratedhot.cn or http://pacoast.cn ( most of which are former sites for hosting malware such as Trojan.Peed ).

• It saves the file on this path : ".//..//[random_name].exe" and executes it on the infected computer.

The interesting thing about the flow of this script is that it has a thorough chain of execution :

• It has a few layers of encrypting and of course obfuscation of code ( name of variables, indentation )

• After decoding, you can see a clear and simple pattern : one of the resulting scripts starts with the call to the main function called "startCrControlRange" and every function ends with the following code : setTimeout([next function in flow], 2000); - this means that the next function will be executed 2 seconds after the current one ends. The other script has a simple download using "msxml2.xmlhttp" from the mentioned sites.
  
• It uses an exploit so that encrypted shellcode is executed. The shellcode used by the exploit is 0x1BB in length and it downloads a file from one of the infected sites.
• It tries one of these exploits in order to execute its malware shellcode
  

1. "Microsoft Internet Explorer WebViewFolderIcon setSlice()" exploit
2. "NCTAudioFile2 ActiveX control" creating a buffer overflow trough the "SetFormatLikeSample" function
3. Exploit for RealPlayer using the console property.