Didier Stevens

Monday 28 May 2007

Find Madeleine

Filed under: Malware — Didier Stevens @ 9:24

I knew this was bound to happen, but I still got upset when I was confronted with it.

http://findmadeleine.com, the official website to find Madeleine McCann, has a page with links to news articles.


Several days ago, when clicking on one of the news links, a new IE window opened, showing the news article, and ultimately, downloading a trojan. Someone must have taken action, because as of this writing, the trojan is not downloaded anymore. And just to be clear: the trojan was not hosted on or linked to from the findmadeleine.com site.

The official website to find Madeleine McCann links to news sites with articles about the search for Madeleine. One of these sites links to http://47z.nh5egc.gondar-my.info/htm/cc1.php?p=55, which in turn links to http://ww3.boz.com.my-expert-pop-block.biz/track3/sh.htm, which in turn downloads http://ww3.boz.com.my-expert-pop-block.biz/track3/%73%68%65%2e%6a%73.

%73%68%65%2e%6a%73 (she.js) is an encoded JavaScript trojan, detected as JS/IEstart.gen.c. Some of the things it does are:

  • changing your IE start page
  • installing a VB script to be executed each time your machine boots
  • changing the hosts file

The trojan is encoded with the Windows Script Encoder, I used the Windows Script Decoder to decode it.

It’s a known tactic of scammers to exploit the curiosity of the general public whenever there’s an important news event. I don’t think I can do something to help find Madeleine, but I’ll keep an eye on the news section to try to stop these scammers.

Blog at WordPress.com.