Javascript 2

[longlivegoku]

I'm not sure where to even post this. We have been doing a lot of research on packets coming in and going out through our internet connection. We have come across a javascipt that seems to be executing and we are not sure what it is or what it does. We are worried that it is some type of spammer/hacker. This may not be warranted as we don't know java at all. If there is someone that would be willing to look at it I would much appreciate it. I can post it if need be...it is quite long so I won't do it right away. Thanks for any help. Let me know if you want it posted, emailed, or you just don't think this is even an issue.

Ed

 

[zaznet]

Post the first 25 lines or so. Also what spikes of network traffic is it causing?

You can remove it and stop it from running until you know what it does, just save a copy of it in case it's something you want/need.

Nathan aka: zaz (zaznet)
zaz@zaz.net

http://www.zaz.net/

 

[longlivegoku]

HTTP/1.0 200 OK
Content-Type: application/x-javascript
Content-Length: 15290
Last-Modified: Tue, 27 Jul 2004 20:41:08 GMT
Date: Fri, 30 Jul 2004 10:40:39 GMT
Connection: keep-alive

var gAC_Debug;
if (gAC_Debug == null)
{
.gAC_Debug = 0;
}

var gAC_CLSID;
if (gAC_CLSID == null)
{
.gAC_CLSID = "B9191F79-5613-4C76-AA2A-398534BB8999";
}

var gAC_GoodCommaVersion;
if (gAC_GoodCommaVersion == null)
{
.gAC_GoodCommaVersion = "2004,1,26,1";
}

var gAC_LatestCommaVersion;
if (gAC_LatestCommaVersion == null)
{
.gAC_LatestCommaVersion = "2004,6,14,1";
}

var gAC_InstalledSomewhere;
if (gAC_InstalledSomewhere == null)
{
.gAC_InstalledSomewhere = false;
}

var gAC_didRegister = false;
var gAC_handledOnCacheReady = false;
var gAC_handledOnControlReady = false;
var gAC_isComposeDisabled = false;
var gAC_fatalError = false;

function AC_GetVersion(string)
{
.if ( string == null || string.split == "undefined" )
.{
..return [0, 0, 0, 0];
.}

.var version = string.split(",");
.
.if (version.length != 4)
.{
..return [0, 0, 0, 0];
.}
.
.for (var i = 0; i < 4; i++)
.{
..version = parseInt(version);
.}
.
.return version;
}

function AC_CompareVersions(v1, v2)
{
.for (var i = 0; i < 4; i++) {
. if (v1 < v2) {
..return -1;
. }
. if (v1 > v2) {
..return 1;
. }
.}
.return 0;
}

function AC_GetInstalledVersion( )
{
.if ( window.document.all.ClientCaps == null ||
..typeof window.document.all.ClientCaps.getComponentVersion == "undefined" )
.{
..return null;
.}

.var retVal = window.document.all.ClientCaps.getComponentVersion( "{" + gAC_CLSID + "}", "componentid" );
.
.return retVal;
}

function AC_HaveAutoComplete( )
{
.if ( window.document.all.ClientCaps == null ||
..typeof window.document.all.ClientCaps.isComponentInstalled == "undefined" )
.{
..return false;
.}

Might be more than 25 lines but this is the first part of it. We have blocked the site/ip address until we know. Thanks for any help you can provide with this.

Ed

 

[zaznet]

What website is it going to?

I didn't see anything in the snipet that was "evil", it's pretty generic application type stuff.

.gAC_CLSID = "B9191F79-5613-4C76-AA2A-398534BB8999";

This should be something pointing to the registry, you should be able to find this string in the registry on any machine this script was installed/run on.

At the very top, those look like HTTP headers. Stuff that is never shown to the user that's given to the web browser (client software). So this is certainly something that was included or installed from a website.

The fact that it's specified HTTP 1.0 might indicate that it's a stand alone server. Most web servers out there use 1.1 at least. 1.0 goes back to the early 90's and lacks a lot of functionality that most sites use. No major web host would use such an old version. It's easy to write your own web server that meats 1.0 specs, that's why a lot of backdoor/trogran programs use the protocol.

This just leads me to suspect the script was deilvered from a webserver that's not a full webserver, but simply a script delivery mechanism. I'm speculating, but it's what you would call an "educated guess"

Anyway, post the site/IP and port(s) it's using. Maybe any lines of code that list the hostname/ip within the script so we can see what it does when it connects.

Nathan aka: zaz (zaznet)
zaz@zaz.net

http://www.zaz.net/

 

[longlivegoku]

.if ( gAC_Debug >= 2 )
.{
..alert( "latest=" + AC_HaveLatestAutoComplete( ) + " good=" + AC_HaveGoodAutoComplete( ) + " have=" + AC_HaveAutoComplete() + " ver=" + AC_GetInstalledVersion( ) );
.}

.AC_InsertObjectTag( );

.if ( window.document.all.YImportA == null )
.{
..return;
.}

.if ( window.document.all.YImportA.attachEvent( "OnAutoCompleteControlReady", AC_OnAutoCompleteControlReady ) == false )
.{
..return;
.}

.if ( window.document.all.YImportA.attachEvent( "OnAddressBookCacheReady", AC_OnAddressBookCacheReady ) == false )
.{
..return;
.}

.if (window.document.all.YImportA.attachEvent( "OnAddressBookRequestFailed", AC_OnAddressBookRequestFailed ) == false )
.{
..return;
.}

.if (window.document.all.YImportA.attachEvent( "OnAddressBookCacheError", AC_OnAddressBookCacheError ) == false )
.{
..return;
.}

.gAC_didRegister = true;

.if ( gAC_Debug >= 2 )
.{
..alert( "after attachEvent" );
.}

.if ( window.document.all.YImportA.IsAddressBookCacheReady && ! gAC_handledOnCacheReady )
.{
..if ( gAC_Debug >= 2 )
..{
...alert( "onload calling cache ready" );
..}

..AC_OnAddressBookCacheReady( );
.}
.else if ( (window.document.all.YImportA.UseAutoComplete ||
...window.document.all.YImportA.IsAutoCompleteControlReady) &&
..! gAC_handledOnControlReady )
.{
..if ( gAC_Debug >= 2 )
..{
...alert( "onload calling control ready" );
..}

..AC_OnAutoCompleteControlReady( );
.}
}

function AC_OnUnload( )
{
.if ( gAC_Debug >= 1 )
.{
..alert( "AC_OnUnload" );
.}

.if ( ! gAC_didRegister )
.{
..return;
.}

.if ( gAC_Debug >= 2 )
.{
..alert( "unregistering" );
.}

.window.document.all.YImportA.detachEvent( "OnAutoCompleteControlReady", AC_OnAutoCompleteControlReady );
.window.document.all.YImportA.detachEvent( "OnAddressBookCacheReady", AC_OnAddressBookCacheReady );
.window.document.all.YImportA.detachEvent( "OnAddressBookRequestFailed", AC_OnAddressBookRequestFailed );
.window.document.all.YImportA.detachEvent( "OnAddressBookCacheError", AC_OnAddressBookCacheError );
}

function AC_PostProcess( )
{
.if ( gAC_Debug >= 1 )
.{
..alert( "AC_PostProcess" );
.}

.if ( gAC_fatalError )
.{
..return;
.}

.if ( ! AC_HaveGoodAutoComplete( ) )
.{
..return;
.}

.if ( window.document.all.YImportA == null )
.{
..return;
.}

.if ( ! window.document.all.YImportA.IsAddressBookCacheReady )
.{
..return;
.}

.if ( window.document.Compose == null ||
..window.document.Compose.To == null ||
..window.document.Compose.Cc == null ||
..window.document.Compose.Bcc == null )
.{
..return;
.}

.var list = window.document.Compose.To.value;
.var flags = window.document.all.YImportA.GetInAddressBookFlags( list );
.window.document.Compose.AC_ToList.value = flags;

.list = window.document.Compose.Cc.value;
.flags = window.document.all.YImportA.GetInAddressBookFlags( list );
.window.document.Compose.AC_CcList.value = flags;

.list = window.document.Compose.Bcc.value;
.flags = window.document.all.YImportA.GetInAddressBookFlags( list );
.window.document.Compose.AC_BccList.value = flags;

.window.document.Compose.AC_Done.value = 1;

.if ( typeof window.document.all.YImportA.ResponseTime != "undefined" )
.{
..window.document.Compose.AC_responseTime.value = window.document.all.YImportA.ResponseTime;
.}

.if ( typeof window.document.all.YImportA.ResponseType != "undefined" )
.{
..window.document.Compose.AC_responseType.value = window.document.all.YImportA.ResponseType;
.}

This is the part that we were worried about. Something about address book so it made us worried that it was stealing address or something like that. 206.18.104.200 is the IP of the site that it was received from as far as we can tell. "Pingable" ip for the internet but no site that we could go to.

Thanks,

Ed

 

[chiph]

I did a Google on that CLSID, and it seems to be something called "YAddBook". I don't have it on my machine, so it's probably something that got downloaded in the past.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[longlivegoku]

Never thought to do a search for that....thanks. Seems it's spyware. Thanks for all your help everyone.

Ed

 

[zaznet]

yeah, the CLSID would be unique. Good work chiph!

BTW, it looks like Yahoo Instant Messenger.

The IP address 206.18.104.200 looks to belong to AT&T, but might be one that Yahoo uses. To see how the IP is controlled visit

http://www.cerf.net

(some company AT&T owns that manages this IP). Contacting those guys at Cerf.net should give you an indication if the IP is in use by "Yahoo!" or not.

Nathan aka: zaz (zaznet)
zaz@zaz.net

http://www.zaz.net/

 

[longlivegoku]

We did a block on the site so the yahoo description explains why people were having problems with yahoo and google sites. Thanks.