"Virus Man" wrote:

> I dragged the .js file over to a few of my installed browsers.

In Windows a ".js" file on its own is not run by a browser but by the
"Windows Script Host", as you can see from your error message.

> Firefox 2.0.0.20, Netscape 9.0.0.6 and Opera 12.02 all did the same
> thing - just opened it as a text file and displayed the text of the .js
> file.

I'm not surprised. In any case, the use of ActiveX in the script would
prevent non-IE browsers from running it unless plugins are available.

> IE 6 seems to have actually known it was a script file, because it first
> threw up a warning if I wanted to open, run or save a potentially
> dangerous file.  I said sure - run it.  It then threw up this error:

IE is just passing it over to WSH (after any warnings).

> --------------
> Windows Script Host
>
> Script: (path to js file)\Invoice_whatever.doc.js
> Line: 1
> Char: 15876
> Error: Arguments are of the wrong type, are out of acceptable range, or
> are in conflict with one another.
> Code: 800A0BB9
> Source: ADODB.Stream
> ---------------

I expect you have an older version of ADO.

> I would have thought that Opera 12, being somewhat "new" or newer, would
> have known how to handle or execute a .js file.

Why should it? It knows about HTML (JS files called from HTML are a
different matter).

> Is IE the only browser that opens / executes .js files if you drop the
> file onto the browser?

Probably.

> Is this unique for IE6, or to other versions of
> IE also do this?

IE8 does it (with two warnings).

> Do newer versions of Mozilla-based browsers execute
> .js files if you drop them on them?

No.

> McAffee is labelling it as "BehavesLike.JS.ExploitBlacole" but a few
> others are calling it JS/Nemucod.

It's not an exploit but a simple downloader & runner. However the
obfuscation (if there is any) and what it's doing should be red flags
to AVs. The script as shown by Wepawet is incomplete because the
variable "str" in the open(GET, ...) is undefined. We're not seeing
the whole package.

If you run this (corrected) JS file by double-clicking it will do its
work without opening a browser and without warning unless appropriate
security policies are in effect. However, before the downloaded exe is
run I would hope you'd get at least one warning from the OS about
allowing a downloaded exe from the internet to run. I can't say how
versions of Windows later than XP handle the security aspects of such
scripts.


--- NewsGate v1.0 gamma 2